With ransomware now one of the most predominant threats to business, a question we're often asked during the engagement is whether to pay the ransom or not. If the business backups have been encrypted the pressure increases to pay the ransom just so the business can return to normal as quickly as possible. In a recent engagement the client went to restore from backup only to find there weren't any and never had been. While they thought that was covered in the agreement it seems that option hadn't been chosen when the MSP was originally engaged, and the issue had never been raised.
Does insurance cover the ransom payment? Our experience is that the ransom payment would probably be covered under a cyber insurance policy, but that should be checked with the insurer before any payment is made if there is an expectation of the payment being covered by the policy. Cyber insurance may also cover the cost of the investigation.
Is the ransom payment legal? While I have heard comments in the past that making a ransom payment could be considered a criminal act under the Commonwealth Crimes Act (make payments to a sanctioned entity) or an offence under the money laundering legislation, I personally don't think that legislation applies to the scenario where a business pays a ransom to get a decryption key. Clearly, I am not a lawyer, so if that is ever a concern, a professional legal opinion should be sought.
What is a sanctions list? There are many different sanctions lists which detail entities, individuals and countries that you are prohibited from making any payment to. If the threat actor that has encrypted your systems is listed or comes from a listed country, making a payment to them is prohibited and this may impact on your insurance cover as insurers are required to determine whether any ransom is made to (or demanded by) sanctioned entities.
I want to pay the ransom. If the business has no other option than to pay the ransom, how do they actually do that? If a decision is arrived at that there is no other option, we can engage with the threat actor on behalf of the business and initiate negotiations. We can also provide advice about whether payment is the best option, investigate alternative recovery options, liaise with insurance providers/underwriters on your behalf and ensure the integrity of any returned data.
In our next ransomware blog article, we'll talk about the most common threat vector (entry point) used in ransomware attacks.
Feel free to contact us if you would like any further information.