An endemic phenomenon with exponential growth

Ransomware [1] has become a major threat affecting all sectors of activity and can cause considerable and different types of damages (operating loss, data and financial loss, liability claims, loss of customers, loss of business, reputational damage, administrative sanctions, etc.).

Local authorities and public bodies are not spared, especially the health sector. Recent attacks targeting hospitals in Dax and Villefranche-sur-Saône in France, in February 2021, were particularly harmful because they impacted the administration of healthcare services. In response to this growing threat, the French Government announced last February the implementation of a national plan to strengthen cybersecurity, which will call for nearly one billion euros.

In its report of 1 March 2021 on the state of the ransomware threat [2], the National Information Systems Security Agency (“ANSSI”) confirms the increasing trend in these attacks. In 2020, a 255% increase in ransomware attacks was reported compared to 2019.

In recent years, an ecosystem facilitating the implementation of cyberattacks by criminal groups has emerged, leading to the industrialisation of these illegal activities. This - ransomware-as-a-service (“RaaS”) - enables access to all the necessary services and tools for carrying out attacks. One of the most common ransomwares, Jigsaw, can be purchased on specialised platforms for as little as USD 3,000 [3].

This upsurge in attacks, their sophistication, as well as the high costs of remediation, sometimes lead victims to pay the ransom demanded by criminals (nearly 33% according to a recent study [4]). The ransom amounts (which are constantly increasing) vary depending on the type of ransomware used and the identity of the victim. It can vary, on average, between USD 200,000 and USD 10m [5]. The ransom is usually paid in virtual currency, more specifically in Bitcoins through crypto-asset exchange platforms.

The decision on whether to pay the ransom must be thoroughly examined, both from the technical and legal perspective. This decision may worsen the consequences of the attack.

The risk of breaking the anti-money laundering and terrorism financing rules

Under French law, no legal text formally prohibits the payment of a ransom in the event of a ransomware attack. However, although the typology of attackers is very diversified and obscure, some attacks can be sponsored by terrorist organisations or by individuals designated on international sanction lists.

Paying a ransom, or helping to pay it, to these groups, therefore, exposes the victim to potential criminal and administrative charges for the financing of terrorism or money laundering.

Article 421-2-2 of the French Criminal Code punishes in particular the financing of terrorism, and as such provides that “It is also an act of terrorism to finance a terrorist enterprise, by providing, collecting or managing any funds, securities or property or by giving advice for that purpose, with the intention of seeing such funds, securities or property used or with the knowledge that they are intended to be used, in whole or in part, for the purpose of committing any of the acts of terrorism provided in this chapter, regardless of the possible occurrence of such an act”.

When it comes to money laundering, article 324-1 of the FrenchCriminal Code also punishes "the fact of facilitating, by any means, the false justification of the origin of properties or incomes of the perpetrator of a crime or of an offense having given him a direct or indirect profit”.

Committing these acts is liable to up to ten years imprisonment and fines of up to EUR 1,875,000 for companies [6].

Companies subject to the anti-money laundering and terrorism financing obligations provided for by the Monetary and Financial Code also incur administrative sanctions of a maximum amount of EUR 100m or 10% of their turnover [7].

Strengthening European and international sanctions on cybercrime

On 30 July 2020, the European Council, imposed for the first time, restrictive measures against six individuals and three entities responsible for, or having taken part in, several cyberattacks [8]. The sanctions imposed included the freezing of assets but also a prohibition on European Union (“EU”) individuals and entities from making funds available to individuals and entities on this list.

Also at the European level, the Sixth Anti-Money Laundering and Terrorism Financing Directive [9] now expressly includes cybercrime in the list of criminal activities as part of the money laundering offence. As a result, legal individuals themselves become punishable and can be considered as accomplices of the perpetrators of money laundering, such as payment platforms, intermediaries, or even certain providers or insurance companies involved in the payment of the ransom.

The European Union thus seems to be gradually hardening its fight against acts of cyberattack.

In the United States, the Office of Foreign Assets Control (“OFAC”), an agency under the Department of the Treasury, issued on 1 October 2020, a notice on the risks of sanctions relating to the payment of ransoms linked to cybercrime activities.

OFAC pointed out that victims of ransomware who pay the ransom or companies that facilitate those payments will be sanctioned, especially if those payments were made to the benefit of groups of attackers subject to US sanctions.

Change in the legislation to fight against the financing of terrorism and money laundering must therefore encourage organisations that become victims of cyberattacks to take these legal aspects into account in their decision-making process regarding the payment of the ransom, despite the difficulties inherent in identifying the perpetrators of cyberattacks.

Ransom payment and "cyber" insurance

Some companies use “cyber” insurance to cover losses caused by ransomware and sometimes even ransom payments.

If covering losses caused by such attacks does not raise any legal issues, the payment of a ransom is likely to be considered contrary to public order since it contributes to the financing of a criminal act, in violation of Article 1162 of the French Civil Code.

Companies using these insurances must therefore be vigilant both, when underwriting these insurance policies and during their implementation.

An interest sometimes limited in recovering the information system

Paying the ransom does not always  guarantee that the organisation will recover all its data and its system. This payment may further compromise the system, for example if downloading the decryption key to restore access to the data is accompanied by the installation of a remote-controlled malware.

Paying the ransom, especially in the absence of the identification of the security vulnerabilities that gave rise to the attack, also does not guarantee that the attack will not be repeated.

Beyond these technical aspects, the payment of a ransom is considered by the authorities, including the ANSSI, as contributing to the increase and persistence of these criminal practices.

The entity facing a cyberattack must therefore carry out a thorough examination when it comes to the possible payment of a ransom, in order to apprehend the legal and ethical risks incurred and, above all, the opportunity for such risk-taking in view of the outcome of the crisis it is facing.

Article published in Option Finance on 19/04/2021

[1] According to ANSSI, ransomware is defined as a "common cybercrime attack technique [consisting] of sending to the victim malicious software which encrypts all of their data and demands them a ransom in exchange for the decryption password”.

[2] State of the ransomware threat, ANSSI report, March 1st, 2021, page 3

[3] Ibid, p. 15

[4] State of the Phish 2020, Proofpoint

[5] State of the ransomware threat, ANSSI report, March 1st, 2021, page 3

[6] Article 324-1 of the Criminal Code; article 421-5 of the Criminal Code.

[7] Article L. 612-39 of the Monetary and Financial Code

[8] Council Decision (CFSP) 2020/1127 of 30 July 2020 amending Decision (CFSP) 2019/797 concerning restrictive measures against cyber-attacks threatening the Union or its Member States

[9] Directive (EU) 2018/1673 of 23 October 2018 aiming to fight money laundering by means of criminal law


Related people

Portrait ofAnne-Laure Villedieu
Anne-Laure Villedieu
Portrait ofHanriot_Maxime
Maxime Hanriot