Businesses banned from paying hackers’ ransoms to target cybercrime | #cybercrime | #infosec

Victims of hacking will be banned from paying ransoms to cyber-criminals unless approved by officials, under new laws announced on Tuesday.

Organisations that are deemed to be part of critical infrastructure will face a complete ban on paying cyber-criminals, as will the whole public sector.

Victims of a hack will also have to inform officials, to give them the first complete picture of the scale of “ransomware” cybercrime.

The measures are some of the most aggressive in the world to target the business model of hackers. Only Australia has similar laws.

• UK under assault as number of ‘significant’ cyberattacks doubles

Ransomware is the biggest cyber threat faced by Britain. Hackers cripple a system after getting access and threaten to publish sensitive information unless they are paid in cryptocurrency — known as “double extortion”.

Recent hacks on the retail sector that targeted Marks & Spencer, The Co-Operative Group and Harrods highlighted the damage such operations can do. M&S put the cost of the attack at £300 million.

Last year NHS hospitals in London had to cancel procedures and operations after a pathology lab was hacked, contributing to the death of one person, one of the first fatalities linked to cybercrime.

The public sector currently has a de-facto ban on ransoms, so the most far reaching measure in the updated laws will require businesses or organisations not covered by any ban to seek approval for paying hackers.

They would then be provided with advice and support and would be stopped from paying any sanctioned groups, many of whom are based in Russia.

• UK is No 1 target for Russian cyberattacks since Trump’s election

Organisations involved in critical national infrastructure, which encompasses 13 sectors such as chemicals, food, communications and data centres, will also not be allowed to pay.

Leaders of the Co-Op said they did not pay any ransom but the chairman of M&S could not make a similar statement when questioned by MPs this month.

The hacks have been linked to the Scattered Spider and DragonForce groups and four people have been arrested.

Empty shelves in M&S due to a shortage caused by the cyberattack

GUY BELL/ALAMY

Shirine Khoury-Haq, the Co-Op CEO, said the laws were “a step in the right direction for building a safer digital future.”

• M&S bosses under fire after ‘damaging and embarrassing’ cyberattack

Experts also welcomed the measures. Ciaran Martin, former chief executive of the National Cyber Security Centre, called it “a very positive step” . He added: “It ends the damaging nonsense where criminals can get lucratively paid in secret: the authorities can’t help if they don’t know about something. How it’s implemented is crucial but it deserves support.”

Alan Woodward, professor of cybersecurity at Surrey University, said: “All of this will undermine the criminals’ business model. Hopefully it should show the criminals there is no point in attacking UK based targets. I don’t imagine it will cause an immediate drop off but it should cause a progressive slow down.”

Jamie MacColl, senior research fellow in cyber and tech at the Royal United Services Institute, said it was “a sign that the government is taking ransomware more seriously”.

However, he added: “I remain sceptical that the partial ransom payment ban for the public sector and critical national infrastructure is going to have the desired effect and make the UK a less attractive target for cybercriminals.

“Ransomware is a largely an opportunistic crime and most cybercriminals are not discerning. I can’t see most cybercriminals taking a limited UK payment ban into account for their operating models. It would probably take a full payment ban to make the criminals sit up and take notice.”

The plans come after a consultation on the measures, which the Home Office said had broad support.

Dan Jarvis, the security minister, said: “By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.”