In a letter addressed to legal professionals the British National Cyber Security Center (NCSC) explained that although the legal framework in the UK does not outright prohibit paying ransomware, the British government does not endorse or condone it either, and payers and the legal advisers advising them on this matter should be mindful of the possibility that certain sanctions regimes (specifically, those related to Russia) may render those payments unlawful.
According to the NCSC, recent months brought an increase both in the number of ransomware cases and in the amounts paid as ransom, likely due to legal advisers’ tendency to advise for the payment of ransom, believing that such payment may protect the stolen data or result in a lower penalty by the British privacy regulator (the ICO).
The NCSC clarified that such belief is incorrect, because ransom payments may be illegal, and incentivize subsequent attacks and malicious behavior. The NCSC’s letter further clarifies that ransom payments to attackers are not considered a risk-mitigating measure, and will not reduce the amounts of fines the ICO may impose.
CLICK HERE to read the NCSC’s letter on the legal profession and its role in supporting a safer UK online.