United Kingdom warns lawyers not to advise clients to make ransomware payments

The UK’s National Cyber Security Center (NCSC) and the Information Commissioner’s Office (ICO) have reaffirmed the government’s position on not paying a ransom.

Paying a ransom could expose a company to sanctions violations while having no effect on subsequent ICO enforcement.

Given the international nature of GDPR, this would also apply to companies in the United States and other countries that pay a ransom to recover stolen European PII.

The National Counter-Cybersecurity Service (NCSC) warns UK companies with operations in Russia that paying a ransom to recover stolen PII could expose them to sanctions violations.

Ignorance of the attacker’s nationality would be a risky strategy, because the NCSC is part of GCHQ, and GCHQ, like the NSA, would be aware.

The law enforcement warning will only apply to companies with a UK presence, but other countries that are currently sanctioning Russia may take a similar stance.