The National Cyber Security Centre has joined forces with three major UK insurance associations to release new guidance designed to help reduce ransom payments made by victims of cyber crime.
The guidance sets out best practice and gives recommendations that can help businesses and other organisations make informed decisions when they are faced with ransomware. Following this guidance should help to minimise disruption and the cost of an incident.
Ransomware is popular with cyber criminals and the number of attacks on UK businesses continues to increase, making ransomware the key cyber threat facing UK businesses and organisations.
Ransomware involves a criminal or criminal group accessing a computer network and using malware to encrypt files and prevent access to data and devices. The criminals then demand a ransom for a decryption key that will decrypt the files and restore the system.
NCSC and law enforcement partners discourage paying ransoms since they don’t guarantee the end of an incident. Even years later, the attacker may come back with a threat to publish or sell stolen data. Paying ransoms also gives an incentive for criminals to continue and even expand ransomware attacks.
The guidance highlights the following things to consider in the event of an attack.
- Don’t panic – slowing down to review the options can improve decision making and improve the outcome.
- Review the alternatives, including not paying – backups or other ways to recover systems and data may be available. Law enforcement also make decryption keys freely available.
- Record your decision-making.
- Where possible, consult experts – insurers, the NCSC, police and cyber incident response companies can help you make good decisions.
- Involve the right people across the organisation in decisions, including technical staff – make sure the options haven’t been prematurely presented; look at all the possible evidence.
- Assess the impact – there’s no guarantee that paying a ransom will secure data, so consider what you need to do about stolen data, including reporting it to the Information Commissioner’s Office (ICO).
- Investigate the root cause of the incident to avoid a repeat attack.
- Be aware that payment does not guarantee access to your devices or data.
- Consider the correct legal and regulatory practice around payment – ransom payments may not be lawful.
- Know that paying a ransom does not fulfil your regulatory obligations – the ICO would not reduce the amount of any penalty if a business had paid a ransom but not fulfilled any reporting obligations.
- Report the incident to UK authorities.
To read the guidance in full, see: https://www.ncsc.gov.uk/guidance/organisations-considering-payment-in-ransomware-incidents