We have identified a more suitable language of this document. To change language to please click here or close
We have identified a more suitable language of this document. To change language to please click here or close
For storing your preferred CMS location, analysing referrals from LinkedIn and embedding third party content we need your consent (which you can withdraw any time).
This website uses cookies so that we can provide you with the best user experience possible. Our Cookie Notice is part of our Privacy Policy and explains in detail how and why we use cookies. To take full advantage of our website, we recommend that you click on “Accept All”. You can change these settings at any time via the button “Update Cookie Preferences” in our Cookie Notice.
Technical cookies (required)
Technical cookies are required for the site to function properly, to be legally compliant and secure. Session cookies only last for the duration of your visit and are deleted from your device when you close your internet browser. Persistent cookies, however, remain and continue functioning on repeat visits.
Analytics
CMS does not use any cookie based Analytics or tracking on our websites; see details here.
Personalisation cookies
Personalisation cookies collect information about your website browsing habits and offer you a personalised user experience based on past visits, your location or browser settings. They also allow you to log in to personalised areas and to access third party tools that may be embedded in our website. Some functionality will not work if you don’t accept these cookies.
Social media cookies
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.
Home/Publications/Ransomware attack: Can we negotiate with cybercri...
Ransomware attack: Can we negotiate with cybercriminals?
An endemic phenomenon with exponential growth
Ransomware
1
According to ANSSI, ransomware is defined as a "common cybercrime attack technique [consisting] of sending to the victim malicious software which encrypts all of their data and demands them a ransom in exchange for the decryption password”.
has become a major threat affecting all sectors of activity and can cause considerable and different types of damages (operating loss, data and financial loss, liability claims, loss of customers, loss of business, reputational damage, administrative sanctions, etc.).
Local authorities and public bodies are not spared, especially the health sector. Recent attacks targeting hospitals in Dax and Villefranche-sur-Saône in France, in February 2021, were particularly harmful because they impacted the administration of healthcare services. In response to this growing threat, the French Government announced last February the implementation of a national plan to strengthen cybersecurity, which will call for nearly one billion euros.
In its report of 1 March2021 on the state of the ransomware threat,
2
State of the ransomware threat, ANSSI report, March 1st, 2021, page 3
the National Information Systems Security Agency (“ANSSI”) confirms the increasing trend in these attacks. In 2020, a 255% increase in ransomware attacks was reported compared to 2019.
In recent years, an ecosystem facilitating the implementation of cyberattacks by criminal groups has emerged, leading to the industrialisation of these illegal activities. This - ransomware-as-a-service (“RaaS”) - enables access to all the necessary services and tools for carrying out attacks. One of the most common ransomwares, Jigsaw, can be purchased on specialised platforms for as little as USD 3,000.
3
Ibid, p. 15
This upsurge in attacks, their sophistication, as well as the high costs of remediation, sometimes lead victims to pay the ransom demanded by criminals (nearly 33% according to a recent study).
4
State of the Phish 2020, Proofpoint
The ransom amounts (which are constantly increasing) vary depending on the type of ransomware used and the identity of the victim. It can vary, on average, between USD 200,000 and USD 10m.
5
State of the ransomware threat, ANSSI report, March 1st, 2021, page 3
The ransom is usually paid in virtual currency, more specifically in Bitcoins through crypto-asset exchange platforms.
The decision on whether to pay the ransom must be thoroughly examined, both from the technical and legal perspective. This decision may worsen the consequences of the attack.
The risk of breaking the anti-money laundering and terrorism financing rules
Under French law, no legal text formally prohibits the payment of a ransom in the event of a ransomware attack. However, although the typology of attackers is very diversified and obscure, some attacks can be sponsored by terrorist organisations or by individuals designated on international sanction lists.
Paying a ransom, or helping to pay it, to these groups, therefore, exposes the victim to potential criminal and administrative charges for the financing of terrorism or money laundering.
Article 421-2-2 of the French Criminal Code punishes in particular the financing of terrorism, and as such provides that “It is also an act of terrorism to finance a terrorist enterprise, by providing, collecting or managing any funds, securities or property or by giving advice for that purpose, with the intention of seeing such funds, securities or property used or with the knowledge that they are intended to be used, in whole or in part, for the purpose of committing any of the acts of terrorism provided in this chapter, regardless of the possible occurrence of such an act”.
When it comes to money laundering, article 324-1 of the French Criminal Code also punishes "the fact of facilitating, by any means, the false justification of the origin of properties or incomes of the perpetrator of a crime or of an offense having given him a direct or indirect profit”.
Committing these acts is liable to up to ten years imprisonment and fines of up to EUR 1,875,000 for companies.
6
Article 324-1 of the Criminal Code; article 421-5 of the Criminal Code.
Companies subject to the anti-money laundering and terrorism financing obligations provided for by the Monetary and Financial Code also incur administrative sanctions of a maximum amount of EUR 100m or 10% of their turnover.
7
Article L. 612-39 of the Monetary and Financial Code
Strengthening European and international sanctions on cybercrime
On 30 July 2020, the European Council, imposed for the first time, restrictive measures against six individuals and three entities responsible for, or having taken part in, several cyberattacks.
8
Council Decision (CFSP) 2020/1127 of 30 July 2020 amending Decision (CFSP) 2019/797 concerning restrictive measures against cyber-attacks threatening the Union or its Member States
The sanctions imposed included the freezing of assets but also a prohibition on European Union (“EU”) individuals and entities from making funds available to individuals and entities on this list.
Also at the European level, the Sixth Anti-Money Laundering and Terrorism Financing Directive
9
Directive (EU) 2018/1673 of 23 October 2018 aiming to fight money laundering by means of criminal law
now expressly includes cybercrime in the list of criminal activities as part of the money laundering offence. As a result, legal individuals themselves become punishable and can be considered as accomplices of the perpetrators of money laundering, such as payment platforms, intermediaries, or even certain providers or insurance companies involved in the payment of the ransom.
The European Union thus seems to be gradually hardening its fight against cyberattacks.
In the United States, the Office of Foreign Assets Control (“OFAC”), an agency under the Department of the Treasury, issued on 1October 2020, a notice on the risks of sanctions relating to the payment of ransoms linked to cybercrime activities.
OFAC pointed out that victims of ransomware who pay the ransom or companies that facilitate those payments will be sanctioned, especially if those payments were made to the benefit of groups of attackers subject to US sanctions.
Change in the legislation to fight against the financing of terrorism and money laundering must therefore encourage organisations that become victims of cyberattacks to take these legal aspects into account in their decision-making process regarding the payment of the ransom, despite the difficulties inherent in identifying the perpetrators of cyberattacks.
Ransom payment and "cyber" insurance
Some companies use “cyber” insurance to cover losses caused by ransomware and sometimes even ransom payments.
If covering losses caused by such attacks does not raise any legal issues, the payment of a ransom is likely to be considered contrary to public order since it contributes to the financing of a criminal act, in violation of Article 1162 of the French Civil Code.
Companies using these insurances must therefore be vigilant both, when underwriting these insurance policies and during their implementation.
An interest sometimes limited in recovering the information system
Paying the ransom does not always guarantee that the organisation will recover all its data and its system. This payment may further compromise the system, for example if downloading the decryption key to restore access to the data is accompanied by the installation of a remote-controlled malware.
Paying the ransom, especially in the absence of the identification of the security vulnerabilities that gave rise to the attack, also does not guarantee that the attack will not be repeated.
Beyond these technical aspects, the payment of a ransom is considered by the authorities, including the ANSSI, as contributing to the increase and persistence of these criminal practices.
The entity facing a cyberattack must therefore carry out a thorough examination when it comes to the possible payment of a ransom, in order to apprehend the legal and ethical risks incurred and, above all, the opportunity for such risk-taking in view of the outcome of the crisis it is facing.
Article published in French in Option Finance on 19/04/2021
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.