Clearhouse
Ransomware Payment: Legality, Logistics, and Proof of Life
Part One: Background and Reality
Publication Date: September 12, 2017 

Cybersecurity expert John Reed Stark has authored a three-part series of white papers offering guidance for boards of directors on the legal issues, logistical considerations and financial implications of responding to ransomware threats.

In the 2000 American thriller film Proof of Life, the title refers to a phrase commonly used to indicate proof that a kidnap victim is still alive. As an expert negotiator in kidnapping cases, Terry Thorne, played by Russell Crowe, is engaged to bargain for a corporate kidnap victim's safe return. Proof of Life's screenplay was partly inspired by Thomas Hargrove's book The Long March to Freedom, which recounts how the release of the once-kidnapped Hargrove was negotiated by Thomas Clayton, the founder of kidnap-for-ransom consultancy Clayton Consultants, Inc.

The film Proof of Life is not just a compelling narrative – its premise and main character also provide some useful insights into managing the emerging threat of ransomware. Ransomware, a special and more nascent type of malware, prevents or limits users from accessing their data by locking system screens or user files unless and until a ransom is paid.

Just like Clayton Consultants, the team advising a ransomware victim company (whether the victim is a hospital or global corporate conglomerate) must employ a thoughtful, careful and methodical protocol to survive the ransomware crisis. Like any hostage situation, when a cyber-attacker locks up critical data files the logistics and legalities of ransomware refusal, acquiescence or capitulation can be both elaborate and complicated.

To make matters worse, seeking law enforcement help for a ransomware attack unfortunately remains a very limited option. First, law enforcement has become inundated with ransomware reports and lacks the resources and wherewithal to assist victims. Second, most of the ransomware attackers are overseas, where merely obtaining an electronic evidence or interviewing a witness—let alone successful extradition and prosecution—are rarely possible. Finally, ransomware demands are often at monetary levels in the hundreds or thousands of dollars – too small to warrant federal law enforcement consideration and clearly outside of the jurisdiction of local law enforcement.

Thus, it should come as no surprise that a significant number of ransomware victims opt to pay the ransom. When padlocked files are business-critical (e.g., an important intellectual property formula); when encryption cannot be defeated (no matter how good the code-breaker) or when time is of the essence (e.g., when patient data is needed for life-saving surgery), paying the ransom can become the proverbial best worst option. Moreover, the typically de minimus ransomware payment demands (on average, about $679) are more akin to a financial nuisance than a material fiscal line-item, so from a cost-benefit perspective, payment can make the most sense.

This three-part series of articles provides guidance on the legal issues, logistical considerations and financial implications when managing ransomware threats, including an exposition of the unique issues which can arise when seeking proof of life and opting to meet the monetary demands of ransomware attackers.

Part One provides the keys to understanding the impact of recent ransomware strains, including a discussion of the nature and growth of ransomware; the dangerous aspects of some recent ransomware attacks; and the role (or lack thereof) of law enforcement when managing a ransomware attack.

Part Two will examine the intricacies involved in ransomware response including ransomware investigative tactics, ransomware payment logistics, and the legalities of ransomware response.

Part Three will cover the remaining range of key ransomware essentials including: notification requirements, ransomware remediation, and ransomware cyber insurance.

Read Part One of Ransomware Payment: Legality, Logistics, and Proof of Life >>

***

John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.