UK warns Lawyers through letters, not to advise ransomware payments

In a letter addressed to the lawyers dated July 7, 2022, the UK’s National Cyber Security Center (NCSC) and the Information Commissioner’s Office (ICO), have warned lawyers not to advise ransomware payments.

The letter states, “Law Enforcement does not encourage, endorse nor condone the payment of ransoms. While payments are not usually unlawful, payers should be mindful of how relevant sanctions regimes (particularly those related to Russia) – and their associated public guidance – may change that position.”

According to Security Week, the implicit warning is that sanctions against Russia could technically make payment of a ransom to a Russian cyber gang effectively if not actually illegal. Ignorance of the attackers’ nationality would be a dangerous tactic, since the NCSC specifically states that NCSC is part of GCHQ – and GCHQ, like the NSA, would know.

The warning will only apply to companies with a preference in the UK- but other countries handling current sanctions against Russia might take similar action.

The second warning refers to the UK data protection regulator, the ICO. In setting up regulatory fines, the ICO will usually consider actions taken to reduce the risk of harm to individuals involved in a data breach.

“Given the international nature of GDPR and the UK’s current implementation of the UK GDPR, this would also apply to North American and other countries’ companies who pay a ransom to recover stolen European PII,” a source as per Security Week.