Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/17/2020
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

To Pay or Not to Pay: Responding to Ransomware From a Lawyer's Perspective

The threat of data extortion adds new layers of risk when determining how to respond to a ransomware attack.

Ransomware has grown an additional gnarly tentacle: data extortion. It was gruesome enough with threat actors encrypting data in place but has morphed and added data extortion to the mix. Cases are emerging with a two-part payload of data encryption and data extraction, where data is encrypted in place while a small portion of unknown data is ferried offline under the threat of publication. (Or, in the case of cybercriminal organizations such as the now defunct Maze group, actual publication of a portion of the data — with threats to publish more on the way.)

Related Content:

How Healthcare Organizations Can Combat Ransomware

The Changing Face of Threat Intelligence

The Double-Edged Sword of Cybersecurity Insurance

In previous ransomware scenarios, an organization just had to decide whether to pay a ransom to get the key to unencrypt the data. But now it must consider making what is essentially a "forever promise" with a criminal organization. The threat actors are demanding payment in exchange for alleged proof that they deleted the data. In practice, they are saying "trust us" to delete data that they previously threatened to publish. It's not a great situation to find yourself in.

Having lived through this several times with my clients, I have learned some immediate tactical considerations any organization must keep in mind before deciding how to respond to a ransomware attack.

1. Negotiate? If so, should you do it yourself or use a professional negotiation company? Even when you have logging in place, it may be impossible to discern exactly what the threat actor removed from the network. Even if the threat actor claims they took only a small portion of data, they often leave you guessing about what else they may have in their possession. Therefore, you're racing to determine what information may be dumped into the Dark Web. So, do you negotiate? This may be wise — even if you don't plan to pay — so that you can buy time to determine more about what information may have been lost. The decision to hire an outside negotiation company is really an incident-by-incident decision. Often, skipping the extra cost can be the best bet but it can be very circumstance specific. Work with your legal team on strategy before engaging an outside negotiation company.

2. Deleting the data doesn't alleviate your legal risks. Even if the threat actor deletes the data they exfiltrated from your network, this does not alleviate your legal responsibilities or risks. Generally, the law will look at whether the data was both "accessed and acquired" or, in the case of other statutes, accessed with some proof of misuse. Given that a threat actor has taken the data, there is no way to dodge the "acquired" component of the law. You are legally required to notify any individual whose information was taken — even if the threat actor deletes the data.

3. Will you pay? Or pay and face a sanction? The US Department of Treasury Office of Foreign Assets Control issued an advisory opinion on Oct. 1, noting that there are risks of sanctions associated with certain ransomware payments because ransoms often fund criminal activities. So, if you are considering making a ransom payment, analyze the issue thoroughly with counsel to make certain you do not jump from the frying pan into the fire.

Cyber data-extortion incidents are wicked. And because they are fraught with liability, it's best to work through these issues with your lawyer to cloak your investigation and actions with attorney-client privilege while navigating the legal risks associated with the extortion.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31828
PUBLISHED: 2021-05-06
An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope.
CVE-2020-18888
PUBLISHED: 2021-05-06
Arbitrary File Deletion vulnerability in puppyCMS v5.1 allows remote malicious attackers to delete the file/folder via /admin/functions.php.
CVE-2020-18890
PUBLISHED: 2021-05-06
Rmote Code Execution (RCE) vulnerability in puppyCMS v5.1 due to insecure permissions, which could let a remote malicious user getshell via /admin/functions.php.
CVE-2021-31793
PUBLISHED: 2021-05-06
An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. The binary app offers a web server on port 80 that allows an unauthenticated user to take a snapshot from the doorbell camera via the ...
CVE-2021-31916
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a syst...