In its ‘State of Ransomware 2022’ white paper, Sophos reported that in the UK 57% of organisations had been hit by ransomware in the previous year and of those a further 57% had data encrypted, meaning around a third of UK organisations were the subject of a successful ransomware attack. Just 42% of organisations in the UK reported having cyber insurance cover.

The National Cyber Security Centre (NCSC) states that “law enforcement does not encourage, endorse nor condone the payment of ransom demands”. The former Home Secretary, Priti Patel, in a speech at the CyberUK conference asserted that “Government has a strong position against paying ransoms to criminals, including when targeted by ransomware” and cautioned that “paying a ransom is likely to encourage criminals to continue to use this approach”. In July last year the Information Commissioner issued a letter stating that “the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action”.

Despite this, according to the Sophos white paper, on average, almost half of organisations hit by ransomware globally resort to paying a ransom, with the average cost of ransomware payments in the UK amounting to approximately £128,500.

While it is not itself unlawful to pay a ransom, it is necessary to avoid breaching sanctions regulations when doing so. The risks of failing to comply with sanctions in the context of making ransomware payments are a real consideration for ransomware victims and their advisers following the imposition of global sanctions following Russia’s invasion of Ukraine.

On 09 February 2023, the British government (in a co-ordinated action with the US) imposed the first UK cyber sanctions, sanctioning 7 Russian nationals identified as cyber criminals, under the Cyber (Sanctions) (EU Exit) Regulations 2020, and entering their names on the UK Sanctions List. The US government identified these individuals as being members of or associated with the Trickbot Group, whose malware was used in the Conti attacks. The National Crime Agency (NCA) estimated that “the group was responsible for extorting at least £27 million from 149 UK victims, including hospitals, schools, businesses and local authorities”. The regulations make it a criminal offence to knowingly, or having reasonable cause to suspect, make funds or economic resources directly or indirectly available to, or for the significant financial benefit of, a designated person. This would include payment in cryptocurrency or other virtual assets, whether to the individual or an entity owned or controlled by the designated person. It is also an offence to circumvent these restrictions. On conviction, the maximum penalty is a term of imprisonment of up to 7 years and a fine, with individual company directors, partners, members or governors being capable of being held personally liable where the offence is committed with their consent or connivance. The maximum fine which may be imposed for breach of financial sanctions is £1 million or 50% of the value of the breach.

While the legislation does permit the government to issue a licence upon application in respect of conduct that would otherwise breach sanctions, this is unlikely to be considered appropriate in respect of a proposed ransomware payment.

Coinciding with the issue of cyber sanctions, the HM Treasury Office of Financial Sanctions Implementation (OFSI) issued Guidance on Ransomware and Financial Sanctions. The guidance encourages proactive voluntary disclosure to OFSI of any suspicion that a ransomware payment has been made to a designated person, which would be considered a mitigating factor when enforcement action was being considered.

Other mitigating factors include:

• Reporting the ransomware incident to law enforcement, in accordance with the NCSC’s ‘Where to Report a Cyber Incident’ portal; and,

• Co-operation with law enforcement during and after the ransomware attack, including disclosure of specific details of the ransomware payment.

Aggravating factors identified in the guidance include:

• Repeated, persistent or extended breaches of sanctions regulations; and,

• Regulated professionals failing to comply with regulatory standards.

The guidance seeks to reassure that “An investigation by the NCA is very unlikely to be commenced into a ransomware victim, or those involved in the facilitation of the victim’s payment (which could include but is not limited to financial institutions, cryptoasset businesses, cyber incident responders, insurance and negotiating service providers), who has proactively engaged with the relevant bodies as set out in the mitigating factors above”, and that compliance with the mitigating factors would result in a breach being resolved “through means other than a monetary penalty or criminal investigation.”

Ultimately, where there is evidence of a sanctions breach, it would be for the Crown Prosecution Service to conduct the Full Code Test under the Code for Crown Prosecutors to determine whether prosecution would be in the public interest, having regard to the seriousness of the offence, the culpability of the suspect (including if their offending was linked to them being a victim of crime), the circumstances of and harm caused to the victim, the suspect’s age and maturity at the time of the offence, the impact on the community, whether prosecution is proportionate and, whether there are sources of information that require protection.  

Victims of ransomware will need to give careful consideration to (i) whether to make a ransom payment, (ii) whether doing so is lawful and, if there is a concern that payment would breach sanctions, (iii) whether, when and the manner in which payment should be disclosed to relevant authorities (particularly given that advisers and intermediaries have their own reporting obligations and may therefore be obliged to alert the authorities in any event). Individual directors and officers may wish to obtain their own independent advice. Advisors and intermediaries will also want to consider the nature and extent of their own role in facilitating any payment. Records should be maintained of the due diligence undertaken and any notifications made.