U.S. victims of ransomware and malware are not chosen randomly. Although many black hat hackers are unaware that white hat activity is more lucrative and liberating, these malicious actors are anything except stupid.
Black hat hackers know which countries to reside in to avoid U.S. extradition orders should they be caught despite the rarity of these occurrences. Using VPN tunnels, TOR browsers, the ability to disguise execution files, hiding in your recycle bin, becoming invisible, and transforming routine power commands into weapons, these individuals created an international banking system to market their illicit goods. The early 2000s stereotype of a Mountain Dew fueled nerd “Rick Rolling” (Wikipedia link only) the 1987 Rick Astley music video “Never Gonna Give You Up” upon unsuspecting email victims is gone (but that is/was still funny).
With Ransomware, these same bad actors use U.S. state laws against their victims to extract a carefully calculated ransom payment. Specifically, here is how it is done:
1. Beginning with victim research, the bad actor knows from either malware or market estimates the victim’s ability to pay a ransom. Most of the factors consider can be easily guessed such as business size and type of information possessed. However, since the hackers were likely inside the network for days/weeks prior to executing the ransomware, they may also know the following:
The policy limits on the cyber insurance and the term dates.
The IT policy in terms of backing up the network and the dates of the next regularly scheduled network maintenance.
Plans and contracts to take the company public, refinance, or merge.
2. After initiating the ransomware, the hackers know the options available to their victims. Now leaving distinct clues that data was ex-filtrating prior executing the ransomware, hackers force their victims to choose:
Quietly pay for the encryption key (using insurance or other available funds) and get the network returned to normal operations by allowing either the in-house IT professionals or a third-party vendor (both operating under a non-disclosure agreement) to re-image all of the equipment without authorities or the public becoming aware.
Restore operations using backed-up data and start the process for reporting the breach to the Attorney General offices of the states in which its consumers reside. For purely local businesses without or with very limited out-of-state clientele, this is not normally a herculean task. Timely and accurate reporting often avoid fines and further inquiry. And, if the victim has comprehensive cyber insurance, the credit monitoring services offered to the consumers whose personal data was stolen during the breach may be covered.
3. With victims domiciled in states with strict and/or punitive privacy and breach laws, bad actors know that they can charge an increased ransom amount if they possess a credibility for silence. If such a victim initially refuses the ransom demand, hackers then leverage the following types of laws:
In New York and effective March 21, 2020: The Stop Hacks and Improve Electronic Data Security Act (SHIELD ACT) requires businesses with New York residents’ private information to "develop, implement and maintain reasonable safeguards” for data. Enforced by the New York Attorney General’s office through fines of up to $5,000.00 per violation, the law requires the implementation of reasonable administrative, technical, and physical safeguards (example: consistent risk and vulnerability assessments). Additionally, N.Y. Gen. Bus. Law § 899-AA increased the maximum potential penalty for failure to follow breach notification requirements to $250,000.00 plus any “consequential financial losses.” Therefore, businesses with large customer bases in the state of New York could not only face breach fines, but also privacy fines for cybersecurity issues and a failure to timely and accurately report breaches.
In Illinois, violations of its data breach reporting statutes are treated as violations of the Consumer Fraud and Deceptive Business Practices Act (815 ILCS 530/20). Such violations generally carry a maximum civil penalty of $50,000.00 per violation plus an additional civil penalty not to exceed $10,000.00 for each violation involving a person over 65. And with its extremely harsh Biometric Information Privacy Act, any investigation into a company that stores an Illinois resident’s biometric information is frightening as failure to strictly adhere to written consent, collection, use, and storage standards carries hefty statutory penalties as well.
Accordingly, bad actors know the options: 1) Pay the ransom and trust that the hacker will keep the matter quiet without the public or the authorities knowing otherwise; or 2) Refuse the ransom, following all state breach reporting requirements and be prepared to respond to questions concerning the company’s cyber hygiene from the media, customers, and aggressive attorney generals.
As previously posited on LaCyberLawBlog, do not rush to pay the ransom.