Ransomware—malicious software that locks or alters computer data and demands a ransom payment to unlock or restore the data—is not a new phenomenon. Recently, though, ransomware attacks have become increasingly common and increasingly sophisticated, with hackers not only locking but also stealing the data. For targets and victims of these attacks, this is a worrying trend with potentially costly implications, although options remain for dealing with such threats.
Significant ransomware incidents were being reported as early 2005,1 and the FBI has been warning about them for years.2 Indeed, between 2015 and 2016, the FBI noted a 300% increase in the number of ransomware attacks,3 although numbers in 2017 and 2018 appeared to stabilize or even decline as other forms of attack became more prominent.4
In the past, the FBI has not advised victims of ransomware attacks to pay the demanded ransoms.5 Instead, standard advice has been to focus on prevention of and preparation for attacks, with a particular emphasis on backups (ideally offline) and incident-response plans so that affected companies would be able to discover attacks promptly, isolate infected systems quickly after discovery, and then restore to recent back-up states, seeking to minimize any impacts on business continuity.6 In other words, well-prepared entities could simply ignore ransom demands in many instances, as paying to restore infected systems was unnecessary.7
Now, however, as we enter 2020, ransomware attacks have resurfaced as a key threat to entities and individuals across the world, and even well-prepared victims may no longer be able to ignore ransom demands. A 2019 McAfee report, for example, indicated that ransomware incidents had more than doubled since 2018, with hackers employing ever more sophisticated and more costly forms of attack.8 Likewise, a recent FBI announcement noted that "[r]ansomware attacks are becoming more targeted, sophisticated, and costly, [. . . with] the losses from ransomware attacks hav[ing] increased significantly . . . ."9
Even more recently, the FBI has warned of a particularly nefarious ransomware attack, known as Maze, which not only encrypts the data on infected systems but exfiltrates it, as well.10 This poses a double threat, as the Maze hackers can now negotiate with both the proverbial "carrot" (the offer to restore affected data in exchange for payment) and the proverbial "stick" (the warning that exfiltrated data will be released if ransom is not paid). In fact, Maze hackers are already employing this additional "stick" approach, having created a public webpage listing company names and corresponding websites for eight victims that have declined to pay a ransom.11
Unfortunately, these eight victims are unlikely to be the last. Indeed, other recent attacks were already using similar techniques,12 while Maze itself is relatively new and might just be getting started. According to Bleeping Computer, Maze has been operating since early 2019 but has only recently begun targeting U.S. companies, with the FBI having "first observed Maze ransomware activity against US victims in November 2019."13 Of course, other hackers and ransomware attacks will almost certainly follow, particularly if Maze is successful in forcing even a small number of its victims to pay.
Implications and Options
With this reemergence and evolution of ransomware, it is now more important than ever for governments, businesses, and even individuals to assess and implement both prevention and preparation strategies for dealing with cybersecurity threats. And, as those threats become more comprehensive, the corresponding strategies must become more comprehensive, as well.
For example, although some businesses might already have been required to report ransomware incidents as data breaches,14 others have been able to take the position, at least in some cases, that a traditional ransomware attack does not constitute a data breach under various state and federal laws when it merely encrypts but does not exfiltrate or otherwise compromise the affected data.15 A business suffering a Maze or similarly designed ransomware attack, however, will need to reconsider its breach-reporting obligations in this new context, and, with Maze's exfiltration of data, it might no longer be possible to argue that data affected by such ransomware was not compromised in a material way.
A victim of a Maze attack will also need to consider, among other things, whether to pay the demanded ransom. Of course, if hackers are merely threatening to disclose the fact that a breach has occurred, a victim might be able to moot that threat with a voluntary breach notification, even if none is legally required, and backups might be used to restore affected systems without needing anything from the hackers.
If, however, the hackers are also threatening to dump the data itself (as they are now doing), then businesses will need to weigh the potential options and risks very carefully, preferably with the advice of legal counsel and a thorough understanding of the categories and the sensitivity of the specific data at issue. Costs and risks of paying a ransom include not only the direct financial cost of the payment but also the risk that a payment will make the business an enticing target for copycat hackers and the risk that the hackers will not restore the data even after payment is made. On the other hand, the costs and risks of not paying a ransom could include essentially a second breach, with the original hackers exposing some or all of the business's sensitive information to other hackers, identity thieves, and bad actors.
A victim of a Maze attack might also want to consider a more offensive approach, including possible legal action. In a recent example, Southwire Co., LLC, one of the nation's largest wire manufacturers, was hit with a Maze attack on December 9, 2019.16 After self-quarantining and shutting down its network, the business was apparently able to restore operations to normal within two or three days,17 and, perhaps as a result, Southwire refused to pay the demanded ransom of roughly $6 million in Bitcoin.18 In response, the hackers posted a subset of the roughly 120GB of stolen data on a publicly available website.19
Southwire, however, decided to push back, filing a complaint against the anonymous hackers in the U.S. District Court for the Northern District of Georgia, seeking (among other things) to enjoin publication of the stolen data and to recover monetary damages.20 Presumably, Southwire will also use the discovery tools available in litigation to seek information from the domain registrar that hosts the website on which the stolen data has been posted.21 It remains to be seen how successful this approach will be, but litigation (even against anonymous actors) is certainly worth considering in response to a Maze or similar ransomware attack.
Data privacy and security threats continue to evolve, and potential targets will need to continue to evolve with them. Right now, governments, businesses, and individuals should be particularly wary of Maze and similar ransomware attacks, and they might want to reassess older analyses in light of the new double threat posed by such attacks. More broadly, though, they should continue to develop comprehensive prevention and preparation strategies for dealing with a variety of threats in the current environment, and, if attacked, they should consider litigation as one possible avenue of relief.
1. Susan Schaibly, "Files for ransom," Network World (Sep. 26, 2005), https://www.networkworld.com/article/2314306/files-for-ransom.html (accessed Jan. 10. 2020).
2. "Incidents of Ransomware on the Rise," FBI News (Apr. 29, 2016), https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise (accessed Jan. 10, 2020) (reporting significant increase of ransomware attacks in 2015 and first three months of 2016).
3. "Ransomware Prevention and Response for CISOs," FBI (2016), https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view (accessed Jan. 10, 2020).
4. Fred Donovan, "Despite Flashy Attacks, Healthcare Ransomware Attacks Decline," HealthITSecurity (Jul. 23, 2018), https://healthitsecurity.com/news/despite-flashy-attacks-healthcare-ransomware-attacks-decline (accessed Jan. 10, 2020).
5. "Ransomware Prevention and Response for CISOs," supra.
7. See, e.g., Mark Brunelli, "Hacked MUNI refuses $73,000 ransom demand, recovers files from backup," Carbonite (Nov. 29, 2016), https://www.carbonite.com/blog/article/2016/11/hacked-muni-refuses-$73000-ransom-demand-recovers-files-from-backup (accessed Jan. 10, 2020).
8. Jessica Davis, "Ransomware Attacks Double in 2019, Brute-Force Attempts Increase," HealthITSecurity (Sep. 3, 2019), https://healthitsecurity.com/news/ransomware-attacks-double-in-2019-brute-force-attempts-increase (accessed Jan. 10, 2020).
9. "HIGH-IMPACT RANSOMWARE ATTACKS THREATEN U.S. BUSINESSES AND ORGANIZATIONS," FBI Alert Number I-100219-PSA (Oct. 2, 2019), https://www.ic3.gov/media/2019/191002.aspx (accessed Jan. 10, 2020).
10. Ionut Iloscu, "FBI Warns of Maze Ransomware Focusing on U.S. Companies," Bleeping Computer (Jan. 3, 2020), https://www.bleepingcomputer.com/news/security/fbi-warns-of-maze-ransomware-focusing-on-us-companies/ (accessed Jan. 10, 2020).
11. Brian Krebs, "Ransomware Gangs Now Outing Victim Businesses That Don't Pay Up," KrebsOnSecurity (Dec. 16, 2019), https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/ (accessed Jan. 10, 2020).
12. See, e.g., Fahmida Y. Rashid, "MAZE TURNS RANSOMWARE INCIDENTS INTO DATA BREACHES," Decipher (Dec. 11, 2019) ("The group responsible for the RobbinHood ransomware infection that crippled Baltimore in May also stole files. The screenshots of some of the files were posted on a Twitter account to encourage city officials to pay."), https://duo.com/decipher/maze-turns-ransomware-incidents-into-data-breaches (accessed Jan. 10, 2020).
13. Iloscu, supra (quoting FBI Flash Alert, Dec. 23, 2019).
14. See, e.g., Jessica Davis, "Experts: There's no gray area with ransomware breach reporting," HealthcareITNews (Jun. 20, 2017), https://www.healthcareitnews.com/news/experts-there%E2%80%99s-no-gray-area-ransomware-breach-reporting (accessed Jan. 10, 2020).
15. See, e.g., Mary Beth Versaci, "Data breaches unlikely in August ransomware attack," ADANews (Oct. 7, 2019), https://www.ada.org/en/publications/ada-news/2019-archive/october/data-breaches-unlikely-in-august-ransomware-attack (accessed Jan. 10, 2020).
16. Jessica Saunders, "Reports: Southwire incident was ransomware attack seeking bitcoin worth $6M," Atlanta Business Chronicle (Dec. 17, 2019), https://www.bizjournals.com/atlanta/news/2019/12/17/reports-southwire-incident-was-ransomware-attack.html (accessed Jan. 10, 2020).
18. Kelly Sheridan, "Ransomware Victim Southwire Sues Maze Operators," DarkReading (Jan. 3, 2020), https://www.darkreading.com/threat-intelligence/ransomware-victim-southwire-sues-maze-operators/d/d-id/1336719 (accessed Jan. 10, 2020).
20. Southwire Co., LLC v. Doe, Case No. 3:19-cv-00189-TCB (N.D. Ga.) (Compl. filed Dec. 31, 2019), available at https://www.documentcloud.org/documents/6595459-Complaint.html (contributed by Lawrence Abrams, Bleeping Computer) (accessed Jan. 10, 2020).
21. See ibid. (Compl. ¶ 5.)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.