Ransomware—malicious software that locks or alters computer data and demands a ransom payment to unlock or restore the data—is not a new phenomenon. Recently, though, ransomware attacks have become increasingly common and increasingly sophisticated, with hackers not only locking but also stealing the data. For targets and victims of these attacks, this is a worrying trend with potentially costly implications, although options remain for dealing with such threats.
Background
Significant ransomware incidents were being reported as early 2005,[1] and the FBI has been warning about them for years.[2] Indeed, between 2015 and 2016, the FBI noted a 300% increase in the number of ransomware attacks,[3] although numbers in 2017 and 2018 appeared to stabilize or even decline as other forms of attack became more prominent.[4]
In the past, the FBI has not advised victims of ransomware attacks to pay the demanded ransoms.[5] Instead, standard advice has been to focus on prevention of and preparation for attacks, with a particular emphasis on backups (ideally offline) and incident-response plans so that affected companies would be able to discover attacks promptly, isolate infected systems quickly after discovery, and then restore to recent back-up states, seeking to minimize any impacts on business continuity.[6] In other words, well-prepared entities could simply ignore ransom demands in many instances, as paying to restore infected systems was unnecessary.[7]
Recent News
Now, however, as we enter 2020, ransomware attacks have resurfaced as a key threat to entities and individuals across the world, and even well-prepared victims may no longer be able to ignore ransom demands. A 2019 McAfee report, for example, indicated that ransomware incidents had more than doubled since 2018, with hackers employing ever more sophisticated and more costly forms of attack.[8] Likewise, a recent FBI announcement noted that “[r]ansomware attacks are becoming more targeted, sophisticated, and costly, [. . . with] the losses from ransomware attacks hav[ing] increased significantly . . . .”[9]
Even more recently, the FBI has warned of a particularly nefarious ransomware attack, known as Maze, which not only encrypts the data on infected systems but exfiltrates it, as well.[10] This poses a double threat, as the Maze hackers can now negotiate with both the proverbial “carrot” (the offer to restore affected data in exchange for payment) and the proverbial “stick” (the warning that exfiltrated data will be released if ransom is not paid). In fact, Maze hackers are already employing this additional “stick” approach, having created a public webpage listing company names and corresponding websites for eight victims that have declined to pay a ransom.[11]
Unfortunately, these eight victims are unlikely to be the last. Indeed, other recent attacks were already using similar techniques,[12] while Maze itself is relatively new and might just be getting started. According to Bleeping Computer, Maze has been operating since early 2019 but has only recently begun targeting U.S. companies, with the FBI having “first observed Maze ransomware activity against US victims in November 2019.”[13] Of course, other hackers and ransomware attacks will almost certainly follow, particularly if Maze is successful in forcing even a small number of its victims to pay.
Implications and Options
With this reemergence and evolution of ransomware, it is now more important than ever for governments, businesses, and even individuals to assess and implement both prevention and preparation strategies for dealing with cybersecurity threats. And, as those threats become more comprehensive, the corresponding strategies must become more comprehensive, as well.
For example, although some businesses might already have been required to report ransomware incidents as data breaches,[14] others have been able to take the position, at least in some cases, that a traditional ransomware attack does not constitute a data breach under various state and federal laws when it merely encrypts but does not exfiltrate or otherwise compromise the affected data.[15] A business suffering a Maze or similarly designed ransomware attack, however, will need to reconsider its breach-reporting obligations in this new context, and, with Maze’s exfiltration of data, it might no longer be possible to argue that data affected by such ransomware was not compromised in a material way.
A victim of a Maze attack will also need to consider, among other things, whether to pay the demanded ransom. Of course, if hackers are merely threatening to disclose the fact that a breach has occurred, a victim might be able to moot that threat with a voluntary breach notification, even if none is legally required, and backups might be used to restore affected systems without needing anything from the hackers.
If, however, the hackers are also threatening to dump the data itself (as they are now doing), then businesses will need to weigh the potential options and risks very carefully, preferably with the advice of legal counsel and a thorough understanding of the categories and the sensitivity of the specific data at issue. Costs and risks of paying a ransom include not only the direct financial cost of the payment but also the risk that a payment will make the business an enticing target for copycat hackers and the risk that the hackers will not restore the data even after payment is made. On the other hand, the costs and risks of not paying a ransom could include essentially a second breach, with the original hackers exposing some or all of the business’s sensitive information to other hackers, identity thieves, and bad actors.
A victim of a Maze attack might also want to consider a more offensive approach, including possible legal action. In a recent example, Southwire Co., LLC, one of the nation’s largest wire manufacturers, was hit with a Maze attack on December 9, 2019.[16] After self-quarantining and shutting down its network, the business was apparently able to restore operations to normal within two or three days,[17] and, perhaps as a result, Southwire refused to pay the demanded ransom of roughly $6 million in Bitcoin.[18] In response, the hackers posted a subset of the roughly 120GB of stolen data on a publicly available website.[19]
Southwire, however, decided to push back, filing a complaint against the anonymous hackers in the U.S. District Court for the Northern District of Georgia, seeking (among other things) to enjoin publication of the stolen data and to recover monetary damages.[20] Presumably, Southwire will also use the discovery tools available in litigation to seek information from the domain registrar that hosts the website on which the stolen data has been posted.[21] It remains to be seen how successful this approach will be, but litigation (even against anonymous actors) is certainly worth considering in response to a Maze or similar ransomware attack.
Conclusion
Data privacy and security threats continue to evolve, and potential targets will need to continue to evolve with them. Right now, governments, businesses, and individuals should be particularly wary of Maze and similar ransomware attacks, and they might want to reassess older analyses in light of the new double threat posed by such attacks. More broadly, though, they should continue to develop comprehensive prevention and preparation strategies for dealing with a variety of threats in the current environment, and, if attacked, they should consider litigation as one possible avenue of relief.
For more information, please contact John Gray, Of Counsel, Lewis Roca Rothgerber Christie LLP at jgray@lrrc.com.
[1] Susan Schaibly, “Files for ransom,” Network World (Sep. 26, 2005), https://www.networkworld.com/article/2314306/files-for-ransom.html (accessed Jan. 10. 2020).
[2] “Incidents of Ransomware on the Rise,” FBI News (Apr. 29, 2016), https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise (accessed Jan. 10, 2020) (reporting significant increase of ransomware attacks in 2015 and first three months of 2016).
[3] “Ransomware Prevention and Response for CISOs,” FBI (2016), https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view (accessed Jan. 10, 2020).
[4] Fred Donovan, “Despite Flashy Attacks, Healthcare Ransomware Attacks Decline,” HealthITSecurity (Jul. 23, 2018), https://healthitsecurity.com/news/despite-flashy-attacks-healthcare-ransomware-attacks-decline (accessed Jan. 10, 2020).
[5] “Ransomware Prevention and Response for CISOs,” supra.
[6] Ibid.
[7] See, e.g., Mark Brunelli, “Hacked MUNI refuses $73,000 ransom demand, recovers files from backup,” Carbonite (Nov. 29, 2016), https://www.carbonite.com/blog/article/2016/11/hacked-muni-refuses-$73000-ransom-demand-recovers-files-from-backup (accessed Jan. 10, 2020).
[8] Jessica Davis, “Ransomware Attacks Double in 2019, Brute-Force Attempts Increase,” HealthITSecurity (Sep. 3, 2019), https://healthitsecurity.com/news/ransomware-attacks-double-in-2019-brute-force-attempts-increase (accessed Jan. 10, 2020).
[9] “HIGH-IMPACT RANSOMWARE ATTACKS THREATEN U.S. BUSINESSES AND ORGANIZATIONS,” FBI Alert Number
I-100219-PSA (Oct. 2, 2019), https://www.ic3.gov/media/2019/191002.aspx (accessed Jan. 10, 2020).
[10] Ionut Iloscu, “FBI Warns of Maze Ransomware Focusing on U.S. Companies,” Bleeping Computer (Jan. 3, 2020), https://www.bleepingcomputer.com/news/security/fbi-warns-of-maze-ransomware-focusing-on-us-companies/ (accessed Jan. 10, 2020).
[11] Brian Krebs, “Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up,” KrebsOnSecurity (Dec. 16, 2019), https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/ (accessed Jan. 10, 2020).
[12] See, e.g., Fahmida Y. Rashid, “MAZE TURNS RANSOMWARE INCIDENTS INTO DATA BREACHES,” Decipher (Dec. 11, 2019) (“The group responsible for the RobbinHood ransomware infection that crippled Baltimore in May also stole files. The screenshots of some of the files were posted on a Twitter account to encourage city officials to pay.”), https://duo.com/decipher/maze-turns-ransomware-incidents-into-data-breaches (accessed Jan. 10, 2020).
[13] Iloscu, supra (quoting FBI Flash Alert, Dec. 23, 2019).
[14] See, e.g., Jessica Davis, “Experts: There’s no gray area with ransomware breach reporting,” HealthcareITNews (Jun. 20, 2017), https://www.healthcareitnews.com/news/experts-there%E2%80%99s-no-gray-area-ransomware-breach-reporting (accessed Jan. 10, 2020).
[15] See, e.g., Mary Beth Versaci, “Data breaches unlikely in August ransomware attack,” ADANews (Oct. 7, 2019), https://www.ada.org/en/publications/ada-news/2019-archive/october/data-breaches-unlikely-in-august-ransomware-attack (accessed Jan. 10, 2020).
[16] Jessica Saunders, “Reports: Southwire incident was ransomware attack seeking bitcoin worth $6M,” Atlanta Business Chronicle (Dec. 17, 2019), https://www.bizjournals.com/atlanta/news/2019/12/17/reports-southwire-incident-was-ransomware-attack.html (accessed Jan. 10, 2020).
[17] Ibid.
[18] Kelly Sheridan, “Ransomware Victim Southwire Sues Maze Operators,” DarkReading (Jan. 3, 2020), https://www.darkreading.com/threat-intelligence/ransomware-victim-southwire-sues-maze-operators/d/d-id/1336719 (accessed Jan. 10, 2020).
[19] Ibid.
[20] Southwire Co., LLC v. Doe, Case No. 3:19-cv-00189-TCB (N.D. Ga.) (Compl. filed Dec. 31, 2019), available at https://www.documentcloud.org/documents/6595459-Complaint.html (contributed by Lawrence Abrams, Bleeping Computer) (accessed Jan. 10, 2020).
[21] See ibid. (Compl. ¶ 5.)
Tags: Data Privacy and Cybersecurity- Of Counsel
John Gray is Of Counsel in Lewis Roca’s Litigation Practice Group and leads the firm’s Data Privacy and Cybersecurity Group. He is also a member of the firm’s AI Task Force.
As a litigator, John has more than a decade of experience in Arizona, California, and other forums across the ...
About This Blog
Lewis Roca is immersed in your industry and invested in your success. We share insights and trends that can affect your business.
Search
Topics
Archives
- September 2024
- August 2024
- May 2024
- March 2024
- February 2024
- September 2023
- April 2023
- March 2023
- February 2023
- December 2022
- November 2022
- October 2022
- September 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- February 2021
- January 2021
- December 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- November 2018
- April 2018
- February 2018
- January 2018
- December 2017
- November 2017
- September 2017
- August 2017
- June 2017
- May 2017
- April 2017
- March 2017
- November 2016
- October 2016
- September 2016
- August 2016
- April 2016
- January 2016
Authors
- Alfredo T. Alonso
- Amy E. Altshuler
- Edwin A. Barkel
- Trevor G. Bartel
- Nick Bauman
- G. Warren Bleeker
- Brooks Brennan
- Ogonna M. Brown
- Chad S. Caby
- John Carson
- Rob Charles
- Joshua T. Chu
- Howard E. Cole
- Katherine Costella
- Thomas J. Daly
- Pat Derdenger
- Thomas J. Dougherty
- Susan M. Freeman
- Yalda Godusi Arellano
- John C. Gray, CIPP/US
- Art Hasan
- Frances J. Haynes
- Dietrich C. Hoefner
- Jennifer K. Hostetler
- David A. Jackson
- Andrew Jacobsohn
- Kyle W. Kellar
- Kris J. Kostolansky
- Gregory S. Lampert
- Shaun P. Lee
- Glenn J. Light
- Laura A. Lo Bianco
- Karen Jurichko Lowell
- James M. Lyons
- H. William Mahaffey
- Constantine Marantidis
- A.J. Martinez
- Patrick Emerson McCormick, CIPP/US
- Michael J. McCue
- Lindsay L. McKae
- Linda M. Mitchell
- Gary J. Nelson
- Rachel A. Nicholas
- Laura Pasqualone
- Michael D. Plachy
- David A. Plumley
- Kurt S. Prange
- Katie M. (Derrig) Rios
- Robert F. Roos
- Karl F. Rutledge
- Daniel A. Salgado
- Mary Ellen Simonson
- Susan Strebel Sperber
- Jan A. Steinhour
- Ryan M. Swank
- Dustin R. Szakalski
- Chris A. Underwood
- Jennifer A. Van Kirk
- Hilary D. Wells
- Drew Wilson, CIPP/US
- Karen L. Witt
- Meng Zhong
Recent Posts
- The Importance of Retaining a Grandfathered Gaming Location in Nevada
- Welcome our 2024 Michael D. Nosler Scholarship Intern
- Going Viral: Navigating Promotional Sweepstakes Legality in the Social Media Era
- Arizona Voters Modify Creditors' Remedies with Passage of Proposition 209
- Nevada Gaming Control Board Issues Gaming Technology Approval Guidelines
- Amendments to Nevada Gaming Regulation 5
- Nevada Gaming Control Board Workshop on Public Regulation
- New Wave of Arizona Privacy Litigation Regarding Tracking Pixels
- Legal Issues, Problems, and Unanswered Questions Regarding a State’s Ability and Potential Departure from the Depository Institution Deregulation and Monetary Control Act of 1980 (“DIDMCA”)
- New Trademark Scam