Cyberattack: when paying the ransom does more harm than good…

In the event of a ransomware attack, paying the ransom is often seen as the best and quickest option to recover the data.

It is often a lengthy and cumbersome process to appoint an IT expert to perform forensic investigations and assess the likelihood of recovering the data independently, in particular if they were not properly backed up.

However, paying the ransom does not necessarily mean that the threat will be eliminated and the data will be successfully recovered.

The ANSSI pointed out in its report of March 2021 (ANSSI, Etat de la menace rançongiciel, 1 March 2021, pages 12-13) that the payment of the ransom does not guarantee that:

• the attacker is no longer present in the IT systems. This means that it will still be necessary to perform forensic investigations and implement appropriate recovery measures to clean, secure and monitor the systems in order to prevent the occurrence of further attacks.
• the attacker will communicate the appropriate decryption key. In some cases, the decryption key provided by wannabe hackers is unreliable and will not enable the effective decryption of the data.
• the data which were exfiltrated by the attacker will never be shared or disclosed to the public.

A report published by Sophos in May 2021 notes that only 8% of the companies which paid the ransom have effectively succeeded in recovering their data in full. In average, companies which decided to pay the ransom recovered around 65% of their data and 29% only recovered 50%.

In addition, paying the ransom does not protect from further attacks (either from the same attackers or other attackers). In a survey published by Sophos in January 2018, it was observed that companies were subject to two ransomware attacks per year on average.

The ANSSI also highlights in its 2021 report that the fact that some cyber insurance policies which cover the payment of the ransom contribute to the profitability of the ransom system. In fact, the amount spent by the attackers to organise the cyberattack is generally far less important than the amount of the ransom (ANSSI, Etat de la menace rançongiciel, 1 March 2021, pages 12-13). The ANSSI notes that some attacks may specifically target companies which have purchased a cyber insurance policy (ANSSI, Etat de la menace rançongiciel, 1 March 2021, pages 12-13).

As a warning, the ANSSI reminds of the very real risk that the payment of a ransom could very well be prohibited under anti-money laundering provisions (ANSSI, Etat de la menace rançongiciel, 1 March 2021, pages 12-13, French Criminal Code, Article 421-2-2) and legislation aimed at the fight against terrorism (ANSSI, Etat de la menace rançongiciel, 1 March 2021, pages 12-13, French Criminal Code, Article 324-1). French criminal law punishes these offences by up to ten years' imprisonment and fines of up to EUR 1 875 000 for companies. In addition, companies subject to AML/CFT obligations under the French Monetary and Financial Code are also subject to administrative sanctions i.e. a fine of up to EUR 100 million or 10% of their annual turnover (French Monetary and Financial Code, Article L. 612-39).

At European level, the sixth directive on anti-money laundering and fight against terrorism includes cybercrime in the list of criminal activities which are likely to be considered as money laundering. This text facilitates the prosecution of individuals and businesses involved in acts of cybercrime which are used to launder money. This legislation is relevant for intermediaries which facilitate the payment of ransoms (such as provider of online payment services used to make the payment), and any individuals or legal entities whose behaviour is considered to aid and abet acts of cybercrime.

In a recent audition before the French Senate, the Vice Public Prosecutor in Paris with special responsibility for handling cybercrime matters stated that victims of cybercrime in France should stop paying ransoms, in particular because the attackers are aware of the tendency of French victims to pay. According to the Vice Public Prosecutor, paying the ransom contributes to the development of illegal activities and criminals organisations, such as terrorists.

In the same audition, the Director of the ANSSI called for organisms targeted by cyberattacks to make a public statement that they will not pay the ransom, drawing on the lessons learned from the public hospitals and municipalities in the United States.
The recommendation of French authorities in the event of a ransomware, is to refrain from paying the ransom and to file a criminal complaint so that authorities can investigate the origin of the attack.

However, the length of the criminal investigations and procedures, as well the lack of international cooperation at global level, remain obstacles to an effective fight against cybercrime.

It is worth remembering that the payment of a ransom rarely prevents the victim of a cyberattack from having to pay to completely restore its systems, perform the necessary legal formalities, organise its external communications and, possibly, pay fines for breach of anti-money laundering rules or the provisions against the financing or terrorism– in addition to operating losses suffered as a direct result of the incident.

According to a 2021 survey by IBM, the average cost of a data breach at global level is $3.86 million. This amount takes into account the following four costs centres: (i) detection and escalation, (ii) lost business, (iii) notification to authorities, data subjects and third parties, and (iv) ex-post response

That is why the public authorities encourage the companies to take their IT security very seriously. In France, the ANSSI has published a guide relating to “IT hygiene” which sets out the essential security rules which should be implemented by all companies to ensure a sufficient level of security of their IT systems and tools, and the confidentiality of their data.