The already high number of organisations paying out following ransomware attacks is increasing. This continuing spike has prompted the UK’s Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) to ask solicitors in Britain to remind the clients they serve that giving in to the demands of ransomware gangs will not keep their confidential data safe.

A joint letter on ransomware

Recently, the ICO and the NCSC sent a joint letter to The Law Society (the official association for English and Welsh solicitors), confirming the increase in ransomware payments. It added that in certain cases, UK solicitors had advised their clients to give in to demands and pay operators, believing that the data would remain safe or result in the firm facing a lower penalty from regulators.

The joint letter stated:

“In recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid and we are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay. It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.”

Both the NCSC and the ICO warned that making ransomware payments is not a condoned practice, and it also encourages cybercriminals to carry out further ransomware attacks.

Payment is no defence against a breach

The letter from the two entities also issued a reminder to law firms that paying ransoms demanded is no guarantee that stolen data will be safely returned. The reason for this is that even when an encryption key is given in return for payment, it may not even work. Furthermore, there is no guarantee a ransomware gang will keep its word and destroy stolen data when it has been taken in a ‘double extortion’ attack designed to put pressure on victims and leverage a payment.

CEO for the NCSC, Lindy Cameron, commented that ransomware is currently the greatest online threat here in the UK. She said that the NCSC does not condone or encourage enterprises paying the ransom demands of criminal organisations. She stated that despite this stance there had been a rise in payment and urged the UKs legal sector to play an important role in reversing this tendency.

She commented that cybersecurity was a collective effort and urged the sector to work with the ICO and NCSC as they continue to use their efforts to battle ransomware and ensure UK enterprises and individual stay safe online.

The ICO added a warning that making a ransom payment to try and retrieve data is not an action that can reduce any potential financial penalties they are facing. In accordance with the UK’s General data Protection Regulation, businesses that have taken insufficient measures to protect the information they store will still have to pay heavy fines if this results in that data being leaked or compromised.