Ransomware – can you pay?

Ransomware, also referred to as a crypto-virus, is malicious software that is used by cyber criminals to illicitly infect, lock-out and then take control over digital systems in order to prevent owners from re-accessing them. In doing so, cyber criminals use the ransomware to extort monies contingent on the promise of restoring owners’ access to their systems. The two common ways through which Ransomware is installed are via phishing emails and/or the visiting of websites with malicious software.

The use of ransomware has increased dramatically both nationally and internationally over the past few years, contributing to an ever growing list of cyber threats and cyber criminality. In South Africa alone approximately R5.7 billion is lost by victims of cyber crime annually – and this figure is likely on the rise.

Criminality of Ransomware
Cyber criminals behind ransomware can be prosecuted in terms of the common law crime of extortion. The crime of extortion is defined as the taking from another party monetary value by intentionally and unlawfully subjecting that party to pressure in order to do so. Accordingly, cyber criminals who force companies or persons under duress to pay sums of monies in order to regain access to their digital system commit extortion. The Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) criminalises the intentional monitoring of any conversations and/or communications by means of a monitoring device, so as to gather confidential information concerning any person or body. Thus, in instances where ransomware is used to gather confidential information, a contravention of RICA will have taken place.

Chapter XIII of the Electronic Communications and Transactions Act (ECTA) aims to deal with cyber crimes, and, in doing so, attempts to provide legal certainty in this regard. In terms of ECTA, any unlawful access and interception or interference with data is a criminal offence. Moreover, ECTA plainly criminalises cyber extortion by providing that a person who intentionally accesses or intercepts any data without authority or permission to do so for the purpose of obtaining any unlawful proprietary advantage is guilty of an offence. The Cyber crimes and Cybersecurity Bill in its current form also clearly defines and criminalises cyber extortion.

Legality of Paying Ransoms
There is no broadly applicable South African legal principal which makes ransom payments illegal. However, the broad duties set out in the Prevention and Combating of Corrupt Activities Act would also cover ransomware victims being obliged to report incidents of ransomware/extortion to the police. However, outside of the legal realm, the payment of a ransom to cyber criminals may have many negative effects, such as: (1) No guarantee that the hackers will return the hijacked data; and (2) paying a ransom not only emboldens current cyber criminals to target more organisations, it also offers an incentive for other criminals to get involved in this type of illegal activity. Such effects are more of a commercial nature than legal nature.

In order to prevent ransomware attacks, information systems need to be created in such a way that will require attackers to spend more time on a given attack. This can be done in numerous ways from having more firewalls, to using encrypted VPNs, and/or imposing additional access controls. Inevitably, this will make the attacks less profitable and the capture of the perpetrators more likely.

Naturally, with larger companies, this task is more difficult, as cyber criminals tend to be more persistent in their attacks against large organisations, due to great potential reward. With smaller companies, the difficulty of funding sufficient information system security remains prevalent.

Cyber criminals are constantly finding new ways to penetrate security systems. The innovative use of intelligent systems, sharing of cybersecurity information and creation of more skilled cybersecurity professionals are all essential to the improvement of the security defense of large corporations.

Written by Berné Burger, an Associate and Daniel Vale, a Candidate Attorney at Webber Wentzel