The UK has joined 38 other countries in backing new guidance for corporate ransomware victims. The guidelines, also endorsed by the US, Japan, and Australia, strongly recommend that organisations do not act impulsively in paying ransoms demanded by hackers. They argue that such actions only perpetuate the cycle of breaches that have afflicted the private sector in recent years. However, the guidance falls short of endorsing a full ban on ransomware payments.
Despite this, the UK National Cyber Security Centre’s director for national resilience wholeheartedly endorsed the global accord. “Cyber criminality does not recognise borders,” said Jonathan Ellison. “The endorsement of this best practice guidance by both nations and international cyber insurance bodies represents a powerful push for organisations to upgrade their defences and enhance their cyber readiness.”
Ransomware scourge receiving global attention
The new guidance effectively endorses new guidance agreed by stakeholders at the 2024 Counter Ransomware Initiative (CRI) summit held earlier this year in the US. Specifically, it urges organisations to cautiously assess their options before paying ransoms to cyber criminals as a move to stop disruption and data loss. Instead, the guidelines ask organisations to report incidents to law enforcement bodies, check the availability of data backups, and seek advice from recognised experts.
The guidelines also recommend that public and private organisations take proactive steps to ameliorate ransomware attacks should they occur, actions that include the development of contingency plans for data retention and retrieval, as well as policies, frameworks, and communication strategies.
By discouraging ransom payments, the new guidelines aim to undermine the ransomware business model, thereby eliminating the incentive for criminals to target organisations and ultimately preventing future attacks.
The global compact is unlikely to please those cybersecurity experts who have called for a complete ban on ransomware payments. But preventing companies from taking this action could be counterproductive, ESET’s Jake Moore told Tech Monitor.
“Forcing the removal of paying ransom demands is frustratingly easier said than done,” said Moore. “The consequences and effects of a ransomware attack are far deeper than a simple decision of to pay or not to pay. Ransomware can cripple an organisation but the decision to pay or not is vital in understanding the aftermath and navigating the least worst route out. Removing the option to pay could force many companies into further financial damage, or even fold altogether.
“It is therefore, far more important to help protect companies from being attacked in the first place by offering proper support and access to the most robust available security options on offer.”
Ransomware a primary threat to UK businesses
According to the UK government, ransomware remains the primary cyber threat to UK businesses and organisations, with cybercriminals continuously adapting their methods to maximise profits.
The industry estimates reported by Chainalysis said that last year saw the highest-ever losses from ransomware payments, with over $1bn paid to criminals across the globe.
This week, the UK sanctioned 16 individuals associated with the Russian cybercrime group Evil Corp, in a joint action with the US and Australia. The Evil Corp had previously carried out malware and ransomware attacks not only on British health, government, and public sector organisations but also on private commercial technology firms.
The Russian cybercrime group also had connections with the ransomware group LockBit. Earlier this year, the UK’s National Crime Agency infiltrated LockBit, which led to the revelation that cyber criminals usually retained data even after victims had paid a ransom for its deletion.
In May 2024, the National Cyber Security Centre partnered with three UK insurance bodies — the Association of British Insurers, the British Insurance Brokers’ Association, and the International Underwriting Association to launch co-sponsored guidance for UK organisations.