The number of businesses paying a ransom following a ransomware attack is going up and the National Cyber Security Centre (NCSC) and Information Commissioner's Office (ICO) are asking solicitors to remind their clients that paying up won't keep their data safe.
In a joint letter sent to The Law Society, the NCSC and ICO say there's been a rise in ransomware payments and that in some cases solicitors "may have been advising clients to pay" ransoms in the belief that it will keep the data safe or result in a lower financial penalty from the ICO. The Law Society is the professional association for solicitors for England and Wales.
"In recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid and we are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay.
"It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case," the letter from the NCSC and ICO said.
SEE: Ransomware: Why it's still a big threat, and where the gangs are going next
Both agencies have said that this isn't the case, and that not only is paying the ransom not condoned, but that paying just encourages cyber criminals to conduct more ransomware attacks.
The letter also issues a reminder that paying the ransom isn't a guarantee that data will be returned. That's because, even if an encryption key is provided, it may not work properly. There's also no guarantee that cyber criminals will keep their word and delete data stolen as part of a 'double extortion' attacks designed to intimidate victims into paying.
"Ransomware remains the biggest online threat to the UK and we do not encourage or condone paying ransom demands to criminal organisations. Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend," said Lindy Cameron, CEO of the NCSC.
"Cybersecurity is a collective effort and we urge the legal sector to work with us as we continue our efforts to fight ransomware and keep the UK safe online," she added.
And the ICO has warned that paying a ransom to retrieve data isn't something that will reduce potential financial penalties