To pay or not to pay: Criminal law considerations for companies facing ransomware attacks

• United Kingdom

• Financial services disputes and investigations
• Sanctions

28-03-2022

Ransomware is big business for cybercriminals. These attacks – in which malicious software (or ‘malware’) is used to block access to victims’ computer systems or data to extort ransom payments for its decryption or restoration – cost victims approximately USD 20 billion globally during 2021¹ The UK and US recorded increases of 227% (totalling 33.5 million incidents) and 98% (totalling 421.5 million incidents) respectively from 2020 to 2021.² Continuing geopolitical volatility is likely to mean that ransomware attacks will remain a clear and present threat.

Victims of ransomware attacks face an unenviable choice. Those without appropriate data backups in place risk the permanent loss of sensitive information but have no guarantee of decryption after paying the ransom demanded. Likewise there is no assurance that threat actors will not sell or otherwise disclose the stolen data; in fact, ‘double extortion’ demands are increasingly common. Notwithstanding these risks, in 2021 more than 80% of UK-based victims of ransomware made at least one ransom payment.³

In the US and UK, paying a ransom is not illegal in itself. However, deciding how to respond to a ransomware demand demands consideration not only of commercial considerations (which on occasions may be existential for the business concerned) but also of whether making a payment may in itself involve breaches of criminal law. No two incidents are the same, and businesses should always receive specific advice on these points based on the facts. There are three key areas of concern.

1. Sanctions

It is an offence for any UK person (including UK-based companies) to make funds available to persons listed on the designated list of sanctioned individuals and entities published by the Office of Financial Sanctions Implementation. Similar prohibitions apply to EU persons regarding the European Sanctions List for Cybercriminals.

A complicating factor in cases involving ransomware attacks is that victims considering paying ransoms will not know who they are dealing with. Threat actors go to great lengths to hide their identity and typically demand payment in cryptocurrencies.

In the UK, no offence is committed where the paying party lacks knowledge or reasonable cause to suspect that funds would be advanced to a designated person. Conducting due diligence (to the extent possible) before making payments and updating checks based on information emerging during negotiations helps to mitigate risk in this area.

The US Office of Foreign Assets Control (“OFAC”) has issued multiple ransomware advisories warning companies that ransom payments may violate US sanctions regulations. OFAC has signaled that it will view companies’ efforts to implement blocking controls and measures to prevent cyberattacks in the first place as a significant mitigating factor in any OFAC enforcement response to a ransomware payment that violates US sanctions.

2. Money laundering

UK-based victims also need to consider the broadly drafted money laundering offences under the Proceeds of Crime Act 2002.⁴ Legitimate funds will become tainted by criminality (and therefore “criminal property”) upon reaching the hands of cybercriminals. Enforcement action from prosecutors in the UK against parties making ransom payments is relatively unlikely. However, many victims of attacks (and their directors) will be cautious about the prospect of even theoretical criminal liability (for example through secondary participation in money laundering offences committed by threat actors). Where sufficient detail is known about the nature of proposed payments, it may be appropriate to address such concerns by exploring the possibility of obtaining a defence against money laundering by filing a suspicious activity report (“SAR”) with the UK’s National Crime Agency (“NCA”). 

3. Terrorist financing

As above, paucity of available detail about the identities and motivations of threat actors may mean that terrorism financing offences are not engaged.⁵ However, there is a realistic prospect that some threat actors will have non-financial or mixed motives. Making payments to such actors knowing or having reasonable cause to suspect that the payment will or may be used for terrorist purposes is a criminal offence in the UK. Before making payments, victims should consider if it may be necessary to file a SAR with the NCA (which is in a slightly different form to that used for anti-money laundering concerns). Reporting duties will also continue after ransom payments are made.⁶

1. Forbes, ‘Cybersecurity in 2022 – A Fresh Look at Some Very Alarming Stats’ (21 January 2022).

2. Sonicwall, ‘Cyber Threat Report 2022’ (17 February 2022).

3. Proofpoint, ‘2022 State of the Phish Threat Report’ (22 February 2022).

4. The most relevant offence in most cases involving ransomware payments will be the offence of being concerned in an arrangement facilitating the retention, acquisition or use of criminal property by a other person - Proceeds of Crime Act 2022, section 328(1).

5. See, for example, Terrorism Act 2000, section 15(3)(b) and Terrorism Act 2000, section 1(1).

6.  Terrorism Act 2000, section 19(2).

7. Hiscox, ‘Cyber Readiness Report 2021: Don’t let cyber be a game of chance’ (15 April 2021).