Is it legal to pay a cyber ransom in NZ? The surprising answer

Today’s hackers often want money to give you back your files (after they’ve stolen them or encrypted them in a “ransomware” attack) or to cease a DDoS attack (a distributed denial-of-service attack where an army of bots try to connect to your site at once, rendering it inaccessible to regular punters).

And their efforts are only escalating, because governments enable ransomware extortionists in three ways: failing to regulate cryptocurrencies like bitcoin, giving hackers an easy, anonymous method of being paid; authorities’ underfunded and uncoordinated efforts to catch offenders (we compare particularly poorly against Australia, as detailed within this feature); and maintaining the legality of paying up.

NortonLifeLock security expert Mark Gorrie saw the recent DDoS attack on the NZX as a “profit-driven” attack, like those on Lion, Toll Group and Fisher & Paykel Appliances and MetService before it, and the Reserve Bank since (none of the victims would comment on whether a ransom had been demanded).

In the US, a ransomware attack that shut down a major oil pipeline has reanimated debate over whether a ransom should be overnight – overnight, oil was flowing again after reports that the pipeline’s operator had paid millions for the return of key files.

Here, Crown agency Cert NZ and the police have clear advice. “Don’t pay.” Cert (Computer Emergency Response Team) deputy director Declan Ingram says paying up will only encourage another attack on you or another organisation. It’s also no guarantee you get your files back or that a DDoS attack will stop if you do stump up – and you’ll likely be giving money to an organised crime outfit that’s also involved in the likes of drugs and human trafficking.

Nevertheless, Kordia chief information security officer Hilary Walton says research indicates around 20 per cent of victims do pay. There are indications that fitness-tracker and avionics maker Garmin recently paid $14m to rid itself of an attack.

And the University of Auckland recently disclosed that it had alumni and donor data stored with Blackbaud, a listed US company that publicly disclosed it had paid a ransom after its systems were compromised earlier this year. Otago University also had data with Blackbaud. Both NZ universities said they were not party to the decision to pay off the hackers.

If an organisation doesn’t pay up, the latest tactic is blackmail – or slowly leaking small batches of sensitive files on to the public internet to encourage a victim to pay up.

Fisher & Paykel Appliances suffered that fate earlier this year as it had highly-detailed budgets and planning documents posted online.

But the whiteware maker gritted its teeth and did not pay.

It was a tough outcome, but Cert’s Ingram says even if you do pay, and your files are returned, your attacker could keep copies and use them to blackmail you in the future.

Yet Wellington lawyer and IT specialist Michael Wigley earlier said he can understand why some organisations pay up. It some cases it can be a pragmatic decision. In others, an argument can be made that a company’s duty-of-care extends to retrieving lost client data.

And Wigley noted that – simply because it would ruin future attempts if they didn’t play ball – hackers often do return files, as in the Garmin, Blackbaud and now Colonial pipeline cases, and are willing to release small amounts of data to prove they’re the actual perpetrator.

Herald columnist Juha Saarinen says the government should make it illegal to pay a ransom.

What does the current law say?

“The Crimes Act was written in an age when a ransom was only demanded for a person, not data,” says Auckland University Law Faculty professor Bill Hodge.

“But my reading is that it would not be illegal to succumb to a hacker’s demands and pay a ransom

“It would be almost impossible for police to mount a prosecution.”

Source: Read Full Article