The National Cyber Security Centre (NCSC) has teamed up with insurance bodies to try and reduce the amount being paid by ransomware victims.
Concerned that too many organizations are paying ransoms, the NCSC, along with GCHQ and the Association of British Insurers (ABI), British Insurance Brokers’ Association (BIBA) and International Underwriting Association (IUA), said they want their guidance to help victims make informed decisions.
Considerations include the thorough assessment of business impact, reporting protocols, and where to access sources of support.
"The NCSC does not encourage, endorse or condone paying ransoms, and it’s a dangerous misconception that doing so will make an incident go away or free victims of any future headaches. In fact, every ransom that is paid signals to criminals that these attacks bear fruit and are worth doing," said NCSC CEO Felicity Oswald.
"This cross-sector initiative is an excellent next step in foiling the ransom business model: we’re proud to support work that will see cyber criminals’ wallets emptier and UK organizations more resilient."
Ransomware remains the biggest day-to-day cyber security threat to UK organizations, and the number of attacks is rising, the agency warned. Paying a ransom doesn't guarantee the end of an incident nor the removal of malicious software from victims’ systems.
However, it does provide incentives for criminals to continue and expand their activities. Even following payments, cyber criminal groups will lie about having deleted the data, the guidance points out.
The NCSC advises reviewing all the options - including not paying, keeping careful records of decision-making, and where possible consulting experts as well as staff.
Victims should assess the impact on business operations and data, as well as the financial implications, and should investigate the root cause of the incident to avoid a repeat attack.
If organizations do pay up, they should make sure it's legal to do so, and should be aware that paying a ransom does not fulfill their regulatory obligations. Similarly, they must make sure they report the incident to the authorities.
NCSC guidance welcomed by industry
Helen Dalziel, IUA director of public policy, said that the payment of ransoms in response to cyber attacks is on a downward trend globally.
"Businesses are realizing that there are alternative options and this guidance further illustrates how firms can improve their operational resilience to resist criminal demands," she commented.
Raghu Nandakumara, head of industry solutions at security firm Illumio, said he welcomes the advice, adding he'd like to see more guidance to help businesses build resilience and contain attacks.
"More often than not, recovery plans are inadequate or have not been properly tested, which makes them unviable when a real incident does occur. As a result, organizations are left with no choice but to pay the ransom to restore operations and productivity levels as quickly as possible," he said.
"The NCSC should encourage businesses to adopt an ‘assume attack’ mindset. This is not admitting defeat - instead it focuses on preparing to respond effectively to a cyber incident and building resilience."
