Navigating the legal consequences of ransom payments in the face of ransomware attacks
BY KATHERINE JONES, KEITH BETHLEHEM AND NICOLA MOSTERT – SEP 01, 2023 8:25 AM AEST
Snapshot
- Ransomware attacks involve malware that encrypts files making them inaccessible. Threat actors typically demand a ransom in exchange for restoring access to the encrypted files.
- Payment of ransom is highly contentious and raises various moral and ethical concerns as well as potential criminal consequences.
- If a law practice is facing a ransomware attack, they should proceed with utmost caution to avoid any criminal law exposure.
The increasing prevalence of ransomware attacks has forced law practices to confront the challenging question of whether payment of ransom may be a viable and, indeed, lawful option. Ransomware attacks involve malware that encrypts files, making them inaccessible to the target. Exfiltration of data may also be involved. The attackers typically demand a ransom, often in the form of cryptocurrency, in exchange for restoring access to the encrypted files or a promise not to release sensitive data.
This is a topical issue in light of recent high-profile ransomware attacks against law practices and other organisations. This article explores the potential legal consequences faced by law practices when deciding whether to pay a ransom. This is a complex issue in which ethical and legal considerations play a significant part. Payment of ransom is always a last resort. Vigilance through training of employees and updated security measures, together with diligent and frequent backups, is the first line of defence. Recent events illustrate that even sophisticated defences can be breached by threat actors, often preying on human error.
The legal landscape
Criminal Law – Instrument of crime provisions
Division 400 of the Criminal Code Act 1995 (Cth) prohibits dealing with money or other property that is, or is at risk of becoming, an instrument of crime. A ransom payment may engage this offence. Arguably, the intentional payment of ransom by its very nature constitutes dealing with money that will become an instrument of crime. That said, existing legislation does not expressly contemplate the scenario of a ransomware attack. In recent years, proposed legislation such as the Ransomware Payments Bill 2021 and the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 would have imposed mandatory reporting obligations in respect of ransomware payments and criminal liability specifically for acts of cyber extortion. However, the Bills have lapsed, and further policy development and legislative change in this area are awaited.
In some circumstances, the defence of duress is potentially applicable, where it is emonstrated that the payment was made under threat, the payment was a reasonable response to the threat, and there was no reasonable alternative to deal with the threat. We are not aware of any prosecutions to date in relation to a ransomware payment.
Counter-terrorism laws
Sections 102.6 and 103.2 of the Criminal Code Act 1995 (Cth) address making funds available to proscribed entities. Paying a ransom to an organisation confirmed to be on the government-maintained terror list constitutes an offence under Part 5.
Sanctions and international law
Australia, as a signatory to the Charter of the United Nations, is obliged to accept and carry out UN Security Council decisions, including sanctions. Payments to proscribed entities or individuals could trigger strict liability offences under Charter of the United Nations Act 1945 (Cth). Similar offences also apply with respect to sanctions imposed autonomously under the Autonomous Sanctions Act 2011 (Cth).
Considerations for law practices
The Australian Government recommends that ransoms are not paid. The Australian Cyber Security Centre is very clear – it states: ‘Never pay a ransom’. That binary analysis is oversimplified for a law practice facing ruin as a result of encryption of its systems, where payment of a moderate ransom provides a viable and immediate solution. The reality is that ransomware events have been successfully resolved through payment to threat actors where no other option existed because of unusable backups. Restoration of systems in those cases was either impossible or not financially viable.
The legal risk to law practices is derived principally from the identity of the threat actor. Law practices should proceed with utmost caution to avoid criminal law exposure, as making a ransom payment may breach anti- money laundering, counter-terrorism or sanctions laws. While there is currently no specific law in Australia prohibiting ransom payments, law practices must navigate the evolving legal and regulatory landscape surrounding cybersecurity, sanctions and counter-terrorism financing. Early consultation with regulators and the designated Lawcover Cyber Risk insurer can help law practices make informed decisions while minimising legal risks.
If you are a victim of ransomware, support is available from the Lawcover Cyber Risk insurance helpline (1800 4BREACH) where options can be assessed and the Cyber Risk insurer notified. Given the potential for ransomware attacks, law practices should consider documenting an action plan rather than confronting the issues in crisis mode at the time of an attack.
#The authors are indebted to Anthony Donovan, solicitor, Colins, Biggers & Paisley, for his foundational work on this article.
This article originally appeared on lsj.com.au