RANSOMWARE ATTACKS – A CRITIQUE ON THE LEGALITY OF RANSOM PAYOUTS
The realm of cyber security and data protection has been the subject of much discourse lately, with India witnessing a major surge in cybercrime and malware attacks. As per the India Ransomware Report released in 2022 by CERT-In, India witnessed a 53% increase in Ransomware incidents reported since the previous year. According to ‘Ransomware and Extortion Report 2023’ issued by‘Palo Alto Networks Unit 42’, India is the second most targeted country by ransomware in the Asia-Pacific and Japan region in 2022, up from the third spot in 2021. Tata Power, Sun Pharma, AIIMS and SpiceJet are some examples of major entities that have suffered ransomware attacks in the past year.
Rapid technological development has resulted in the emergence of new types of cybercrime wherein the computer system of the victim is compromised by the attacker and the victim is held to ransom. Ransomware attacks are most often based on two scenarios; an ‘Infiltration’, in which the threat actor encrypts the victim’s data and renders it inaccessible unless a ransom is paid or an ‘Exfiltration’ where the victim’s data is extracted from the system with a threat that it will be published, unless a ransom is paid.
In many instances, it is being noticed that the fact of the attack is realised at a much later date from the date on which the system of the victim had been compromised as a consequence of the attack by using increasingly sophisticated techniques to bypass the existing malware security. This results in a situation where it is too late to put any protective software in place, and the affected entity is faced with the dilemma of whether or not they should give in to the ransom demand in exchange for their data.
In many jurisdictions the law on the legality of making ransom payments is still grey and consequently leaves the question open as to whether, despite being the victim of an attack, the payment of ransom would lead to additional legal complications for the victim. This includes the question of whether payment of the ransom would constitute abetment of a crime. It is therefore prudent to be aware of the various actions one can take if faced with a ransomware attack, and to understand the legality of making a ransom payout.
TRENDS IN RANSOMWARE ATTACKS
The demands for ransom are getting increasingly higher year by year. As per ‘Ransomware and Extortion Reports 2023’ issued by ‘Palo Alto Networks Unit 42’, there have been ransom payments as high as $7 million, with a median demand of $650,000 and a median payment of $350,000. However, the report also highlights that effective negotiation can drive down actual payments. Dealing with the attacker, however, is inherently risky insofar as the possibility that despite making the ransom payment, the compromised
data may not be restored. Furthermore, if ransom payments are made, this may open up the victim to increased ransomware attacks since attackers would now be aware that the victim has succumbed to making a ransom payment.
Ransomware attackers are becoming more sophisticated through machine learning and dark web sharing. Hackers typically demand payment in cryptocurrencies which are difficult to trace, and which open up a new set of legal issues for the victim. We can expect to see more ransomware attacks on organisations that are not cyber-secure in the near future.
Businesses are considering paying ransoms for a variety of reasons, including avoiding revenue losses, to speed up recovery and to avoid loss to their reputation. In many instances, most of the data of the company is stored on its servers and in the event of a ransomware infiltration attack, all access to data is crippled necessitating urgent steps to be taken for ensuring access to data and preventing a complete stoppage of operations. Additionally, many companies that operate on a hub and spoke model are realising that as a consequence of a ransomware attack in one location, the systems of multiple locations have the risk of being compromised which therefore affects the global operations of such a company.
REMEDIES AVAILABLE TO VICTIMS
With the significant rise in the number of Ransomware attacks, the following are the main remedies which could aid the victims of a ransomware attack:
(i) Containment: Once a ransomware attack has been detected, it is advisable to immediately engage with technology experts so that the infected system or network can be immediately isolated from the rest of the organization’s network to prevent the malware from spreading further.
(ii) Risk Assessment: An immediate risk assessment must be undertaken in order to understand the point of exposure and to mitigate any further events from occurring. There are also authorities in various countries that issue guidance and advisories in relation to cyber events; In India there is CERT-In, in China, the National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT/CC), in Singapore, the Singapore Police Force (SPF)/ Cyber Security Agency of
Singapore (CSA) and in case of Malaysia, the Royal Malaysian Police (PDRM)/the Malaysian Communications and Multimedia Commission (MCMC).
(iii) Statutory Exposure: As soon as the ransomware attack is noticed, most countries have regulatory requirements for reporting the cyber event. In India CERT-In has the authority to register such a filing and conduct investigations and share the details with other enforcement agencies if needed. Additionally, depending upon the nature and extent of the ransomware attack and the need to obtain data which has been exfiltrated and which has the danger of being placed on the dark web, victims have also been coordinating with investigating agencies. In many instances, this coordination has led to successful intervention by the investigating agencies. However, the fear that is inherent in the decision of whether or not to report such an attack to the investigating agencies is inevitably that the event then becomes public and most companies prefer containment of information relating to the event rather than it being publicised.
LEGALITY OF RANSOM PAYMENT
In the event the victim of a cyber attack decides to engage with the threat actor, there are certain jurisdictions where this is a grey area as to whether such engagement is permissible or in some situations, even legal. The payment of ransom is generally discouraged and may even be illegal in certain countries. In Singapore, for example, while the payment of ransom is not expressly banned, it could potentially be an illegal Act construed to facilitate money laundering, as under the Corruption, Drug Trafficking and
Other Serious Crimes (Confiscation of Benefits) Act (CDSA). Section 51 of this Act holds a person guilty for an offence if he assists another to retain benefits from criminal conduct.
In India, Section 107 of the Indian Penal Code, 1860 defines the abetment of an offence as intentionally aiding, by act or illegal omission, the doing of an illegal act. So when the victim of a ransomware attack makes a ransom payout, that act may be considered a contributing element towards the abetment of a crime by aiding the commission of the crime.
Furthermore, under Section 23 of the ‘Prevention of Money Laundering Act, 2002 (PMLA)’, in cases where money-laundering involves two or more inter-connected transactions and one or more such transactions is or are proved to be involved in money-laundering, then for the purposes of adjudication it will be presumed that the remaining transactions are part of the money-laundering transactions as well, which would therefore implicate a victim who chooses to pay the attacker if the attacker uses payment from that transaction in a money-laundering transaction
If the victim of a ransomware attack decided to pay the ransom internationally or through cryptocurrency, it would attract the FEMA guidelines, since under Section 3 of the Foreign Exchange Management Act, 1999 (FEMA), the transfer of foreign exchange to an unauthorised person is an offence.
Moreover, if the declaration of the reason for the payment required under Section 10 of the Act is misrepresented in order to initiate the payment, such misrepresentation would be penalized in accordance with the provisions of the Act.
CONCLUSION
The perspective on negotiating with threat actors in ransomware attacks varies among Asian countries. Some countries may be more willing to negotiate due to cultural and economic factors, while others may take a hardline stance against negotiating with attackers. The Indian government has stated that it does not support ransom payments to cybercriminals, as it may encourage more attacks and criminal activities. The government encourages companies to invest in cybersecurity measures and backups to prevent and mitigate the impact of ransomware attacks. In case a cyberattack does occur, it is necessary to consider the statutory provisions of the local jurisdiction while considering the next steps to mitigate damage and obtain control over the data.
