Ransomware is big business. Companies affected by hackers, who lock up victims’ data and demand a payment to unlock it, paid out some £650 million to cybercriminals last year.
Hackers continue to launch attacks indiscriminately — affecting companies from Co-op to Marks & Spencer, which are only just scrambling back to normality after suffering extraordinarily debilitating attacks earlier in the year.
The Government has decided that allowing organisations to continue to pay up is only encouraging criminals to launch more attacks — so has announced plans to ban public sector organisations from paying ransoms.
Private companies would also be compelled to tell the Government if they intend to pay a ransom, allowing Whitehall to veto such payments if they believe the proceeds would end up in countries the UK has sanctioned, including Russia. Around three-quarters of ransomware attacks are thought to originate in Russia, according to analysis by the US Treasury. It’s not yet clear when the ban would come into force.
“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on,” says Security Minister Dan Jarvis. “That’s why we’re determined to smash the cybercriminal business model.”
In 2021, retailer FatFace paid a £1.5m ransom to hackers who locked up its systems, while Caesars Entertainment paid $15m to hackers who brought Las Vegas casinos to a crawl. Both are cheap compared to the cost to businesses: M&S, which hasn’t paid a ransom to hackers who brought its trading to a virtual halt, has said the attack will cost it £300m through lost trade.
Because the scale of ransomware has become so significant, the Government’s move is a good one – though not necessarily because it will deter the criminals, reckon experts. “The proposed ban on public sector bodies paying ransoms is not surprising,” says Gareth Oldale, partner and head of data privacy and cybersecurity at law firm TLT. “The move to requiring private sector bodies to notify government if they intend to pay a ransom, however, does take this one step further and is perhaps more likely to raise eyebrows across industry.”
Alan Woodward, professor of cybersecurity at the University of Surrey, agrees. “The rules about public sector don’t really change anything in practice,” he says. “They don’t pay as a matter of policy.” Where there is a difference is in the private sector having to consult with government and gain permission to pay up — an indication of quite how large the potential proceeds of such attacks have become.
Oldale points out that when companies fall victim to such attacks, and are faced with paying a ransom to minimise the level of disruption to their clients, their business and their reputation, many choose to pay up as the easier way out. “If the discretion for organisations to make that choice is reduced, boards will need to think differently about how to respond in these often devastating and business-critical scenarios,” he says.
It’s how businesses will react to the new rules that could make the real difference in tamping down criminals’ ability to hack us all. If an organisation is unable to take the “easy” option of paying up anymore, then it compels them to think — and spend — more on preventing such attacks happening in the first place. Tighter security could make hackers less effective.
“By undermining the criminals’ business model, it should help to dissuade them from attacking,” says Woodward. “I suspect they’ll still try but hopefully over time it will at least stop the inexorable rise.”
