Ransomware—malicious software that locks or alters computer data and demands a ransom payment to unlock or restore the data—is not a new phenomenon. Recently, though, ransomware attacks have become increasingly common and increasingly sophisticated, with hackers not only locking but also stealing the data. For targets and victims of these attacks, this is a worrying trend with potentially costly implications, although options remain for dealing with such threats.
Background
Significant ransomware incidents were being reported as early 2005,1 and the FBI has been warning about them for years.2 Indeed, between 2015 and 2016, the FBI noted a 300% increase in the number of ransomware attacks,3 although numbers in 2017 and 2018 appeared to stabilize or even decline as other forms of attack became more prominent.4
In the past, the FBI has not advised victims of ransomware attacks to pay the demanded ransoms.5 Instead, standard advice has been to focus on prevention of and preparation for attacks, with a particular emphasis on backups (ideally offline) and incident-response plans so that affected companies would be able to discover attacks promptly, isolate infected systems quickly after discovery, and then restore to recent back-up states, seeking to minimize any impacts on business continuity.6 In other words, well-prepared entities could simply ignore ransom demands in many instances, as paying to restore infected systems was unnecessary.7
Now, however, as we enter 2020, ransomware attacks have resurfaced as a key threat to entities and individuals across the world, and even well-prepared victims may no longer be able to ignore ransom demands. A 2019 McAfee report, for example, indicated that ransomware incidents had more than doubled since 2018, with hackers employing ever more sophisticated and more costly forms of attack.8 Likewise, a recent FBI announcement noted that "[r]ansomware attacks are becoming more targeted, sophisticated, and costly, [. . . with] the losses from ransomware attacks hav[ing] increased significantly . . . ."9
Even more recently, the FBI has warned of a particularly nefarious ransomware attack, known as Maze, which not only encrypts the data on infected systems but exfiltrates it, as well.10 This poses a double threat, as the Maze hackers can now negotiate with both the proverbial "carrot" (the offer to restore affected data in exchange for payment) and the proverbial "stick" (the warning that exfiltrated data will be released if ransom is not paid). In fact, Maze hackers are already employing this additional "stick" approach, having created a public webpage listing company names and corresponding websites for eight victims that have declined to pay a ransom.11
Unfortunately, these eight victims are unlikely to be the last. Indeed, other recent attacks were already using similar techniques,12 while Maze itself is relatively new and might just be getting started. According to Bleeping Computer, Maze has been operating since early 2019 but has only recently begun targeting
Implications and Options
With this reemergence and evolution of ransomware, it is now more important than ever for governments, businesses, and even individuals to assess and implement both prevention and preparation strategies for dealing with cybersecurity threats. And, as those threats become more comprehensive, the corresponding strategies must become more comprehensive, as well.
For example, although some businesses might already have been required to report ransomware incidents as data breaches,14 others have been able to take the position, at least in some cases, that a traditional ransomware attack does not constitute a data breach under various state and federal laws when it merely encrypts but does not exfiltrate or otherwise compromise the affected data.15 A business suffering a Maze or similarly designed ransomware attack, however, will need to reconsider its breach-reporting obligations in this new context, and, with Maze's exfiltration of data, it might no longer be possible to argue that data affected by such ransomware was not compromised in a material way.
A victim of a Maze attack will also need to consider, among other things, whether to pay the demanded ransom. Of course, if hackers are merely threatening to disclose the fact that a breach has occurred, a victim might be able to moot that threat with a voluntary breach notification, even if none is legally required, and backups might be used to restore affected systems without needing anything from the hackers.
If, however, the hackers are also threatening to dump the data itself (as they are now doing), then businesses will need to weigh the potential options and risks very carefully, preferably with the advice of legal counsel and a thorough understanding of the categories and the sensitivity of the specific data at issue. Costs and risks of paying a ransom include not only the direct financial cost of the payment but also the risk that a payment will make the business an enticing
A victim of a Maze attack might also want to consider a more offensive approach, including possible legal action. In a recent example,
Southwire, however, decided to push back, filing a complaint against the anonymous hackers in the
Conclusion
Data privacy and security threats continue to evolve, and potential targets will need to continue to evolve with them. Right now, governments, businesses, and individuals should be particularly wary of Maze and similar ransomware attacks, and they might want to reassess older analyses in light of the new double threat posed by such attacks. More broadly, though, they should continue to develop comprehensive prevention and preparation strategies for dealing with a variety of threats in the current environment, and, if attacked, they should consider litigation as one possible avenue of relief.
Footnotes
1.
2. "Incidents of Ransomware on the Rise,"
3. "Ransomware Prevention and Response for CISOs," FBI (2016), https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view(accessed
4.
5. "Ransomware Prevention and Response for CISOs," supra.
6. Ibid.
7. See, e.g.,
8.
9. "HIGH-IMPACT RANSOMWARE ATTACKS THREATEN
10. Ionut Iloscu, "FBI Warns of Maze Ransomware Focusing on
11.
12. See, e.g.,
13. Iloscu, supra (quoting FBI Flash Alert,
14. See, e.g.,
15. See, e.g.,
16.
17. Ibid.
18.
19. Ibid.
20.
21. See ibid. (Compl. ¶ 5.)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr John C. Gray
Suite 1200
AZ 85004
Tel: 6022625311
Fax: 6022625747
E-mail: Lsimon@lrrc.com
URL: www.lrrc.com
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source