Cyber-extortion: Pro-active and reactive responses

Attacks on Marks & Spencer, the Co-op and Jaguar Land Rover have alerted us all to cyber threats this year. The message is now clear that everyone is vulnerable to a cyber breach for many reasons, a result of accident and human error or by an external threat.

A resilient approach to preventing and responding to cyber attacks demands working with external partners and challenges to conventional business practices.

The way forward will often lie with a decision on how to engage with the attackers, the threat actors. Management will often turn to the General Counsel/Head of Legal who is often little prepared for this unfamiliar role.

Key issues regarding cyber attacks include: How did the attackers get into the IT system? How will internal or external forensics teams focus on what happened next? Management will ask how do we get the business back into action? Adding to the difficulty of this crisis situation is the fact that cyber attacks often occur at off-peak times, such as outside business hours, weekends and holiday periods.

Preventing and responding to cyber attacks

The first step will often include calling in a crisis management company with specific experience of dealing with cyber attacks. They will want a contract to be agreed which will cover the scope of their engagement. They will not start work reviewing documentation and IT systems until you have signed their contract. How long would it take to decide which crisis management company to contact, and who would sign for your organisation? In the event that your IT system is down, do you have more than one copy of a paper notebook with relevant names and phone numbers?

An SME should go first to their insurance company assuming their policy covers cyber attacks. Large companies could consult their own forensic team if they have one. The victim organisation’s first instinct may be to consult their usual law firm(s). But it is important to check that they are experienced in this field and that they have a good working relationship with a crisis management company. As cyber security issues are a specialist area, your organisation may need to consult a law firm not on your regular panel of legal advisors.

Notifying the regulator

A crisis management company will aim to identify, tackle and resolve cyber attacks. In the UK, they will advise on whether, when and how to inform the National Crime Agency and the ICO.

Multinational companies operate in many countries so a cyber attack in the UK may have an impact in other jurisdictions. If so, the victim organisation needs to know about the timetable for informing regulators, apparently within four hours for some incidents in China.

The usual advice is not to notify too early when the details are not yet known. The crisis management company will advise when to notify the national regulators of an incident stating that more details will be available in due course. However, your organisation does not want to be accused of a cover-up with an impact on your reputation.

What do attackers want?

A common incentive is money, using ransomware as a weapon, while industrial espionage for technical information remains a motive for some attackers. The attackers extract personal data and/or data essential for manufacturing processes. They encrypt it and promise to replace it and/or provide the encryption key if the victim pays a certain sum usually via the dark web. They know that it is damaging to an organisation’s reputation if personal data is compromised and/or a manufacturer stops production.

While many companies have a policy of not engaging with cyber criminals, because of an understandable reluctance to submit to cyber extortion, around one-third of victims do so for several reasons.

• Most organisations’ back-up systems have not been properly tested. So some parts may be backed up, but that is not the same as extending the test across the whole IT system. When back-ups are tested at a time of crisis, 90% fail.
• It is more efficient to rebuild the IT system to its former configuration rather than taking the time-consuming opportunity to build a new system which would require new contracts and equipment.
• Experienced crisis management professionals have learned that negotiating with the adversaries can mitigate the damage because threat actors differ in their objectives. Once their objectives are understood, such as industrial espionage or money, it is easier to discuss a resolution. Many attackers consider that they are running an extortion business and want results in the form of a financial reward.

Do threat actors keep their side of an agreement?

After paying a ransom? Do threat actors keep their side of an agreement and provide the encryption key when the victim has paid the ramson?

Usually they do because they have their own reputation to protect. The crisis management industry has created threat actor league sites to share information on their adversaries.

Physical threats? Do they follow up with physical threats to senior managers and/or to set fire to buildings?

Generally no. They are more likely to pursue less violent methods, such as taking over printers or tip off journalists of the data disaster.

John Edwards, Information Commissioner, referred at the ICO Annual Conference last month to Shiny Hunters, a group of cyber criminals. Looking at the Resecurity website(1) on this and other similar groups, it is clear that the cyber criminals are well organised. On this website, updated on 3 October, it states that the cyber criminal collective “has launched a Data Leak Site (DLS) on the TOR network containing 39 well-known companies impacted by the attacks” including Fedex, Marriott and Toyota. It notes that the threat group “has shifted toward a traditional ransomware modus operandi.”

Evidence that the criminals are now operating in a quasi-corporate style, the Resecurity website reports:

• “The threat actors stated they attempted to contact Salesforce earlier but were unable to negotiate terms to prevent disclosure.”
• “Similar to the tactics of other ransomware groups — for example, targeting EU-based victims to ensure compliance with GDPR — the group threatened to report evidence of the data breach to regulators, which could result in "criminal negligence charges" against the company.”
• The criminals adopt corporate language stating that they “specialize in high-value corporate data acquisition and strategic breach operations…..We help you regain control.” Jaguar Land Rover is one of their victims.

There is advantage in negotiating with cyber criminals because it buys time. The crisis negotiators can sometimes develop a relationship with the criminals which reveals their motivations. Sometimes ransom attacks can be a smokescreen to cover up the attackers’ primary aim. The victims' objective is a negotiated written settlement, for example, a lower ransom payment and a promise to not return to threaten the same organisation. In ransom cases, it is not in the interests of the criminals that their victim organisations suffer collapse.

Do cyber criminals ever drop their demands?

It has been reported that the cyber criminals threatening Ireland’s health service were persuaded to drop their threats, as the consequence would be the collapse of the service. In a similar way, cyber criminals who this year extracted data from a chain of children’s nurseries in the UK, were persuaded to stop their activities because it was not considered a legitimate target.

Should you report a cyber attack to the National Crime Agency?

Yes because it builds up their understanding of this type of crime. If they see fit, they liaise with their counterparts in other countries. Although the police are more concerned with the criminal suspects than the victim companies, they do not pass information on cyber attacks to the regulators, leaving this step to the victim organisations.

Clearly, cyber security is a critical business issue so the most important point for management is don’t leave data security to the IT Team.

At PL&B’s Meet the Correspondents in London on 3 December, hosted by Stephenson Harwood, one of the sessions is Help, we’re under attack! - an outline of steps to take in the event of, and to prepare for, a personal data breach cyber incident. This event is free to subscribers. It is in-person only and will not be recorded to encourage exchange of experience.

Laura Linkomies, Editor and I look forward to seeing you there.

Best regards,

Stewart Dresner
Publisher, Privacy Laws & Business

November 2025