Be careful when considering payment after ransomware attack, lawyers warn
Thursday, December 02, 2021 @ 10:30 AM | By Ian Burns
The phenomenon of taking something and holding it for ransom has moved far beyond kidnapping crusading kings or the sons of famous aviators to one where information and data is the brass ring to reach for. And legal experts are saying there are a number of factors that companies must consider before deciding to pay to get their data back.
Ransomware cyberattacks involve the theft of data from a business or government, in which a company’s information is encrypted by malicious actors who demand payment for access to a decryption key which will unlock the data. Large-scale attacks have captured the attention of many people over the past few months, such as the Colonial Pipeline attack in May which crippled energy supplies in the United States for several days and led to a $4.4-million payment to restore the pipeline’s operations.
Stephen Mathezer, field chief technology officer and principal at cybersecurity company iON United, said there are two primary ways by which malicious actors gain access to a business network — either by figuring out names and passwords by stealing them from other websites or simply guessing at them, or the well-known phenomenon of “phishing” where an attacker sends a fake message designed to trick them into entering sensitive information or downloading malicious software onto their computer. From that point, they gain an initial foothold and then try to get administrator privileges on a computer or a network.
“Then it gets a little more interesting,” he said. “Attackers today especially are going to be looking for things like your ability to pay and what your most sensitive data is. They will also steal as much data as they can, delete backups as much as they can and then encrypt ransomware to your whole environment at once — and it will all happen very quickly.”
Mathezer’s comments came as part of a webinar on ransomware held by law firm Faskens on Nov. 30. And lawyers participating in the webinar noted that a complex web of considerations comes into play after a cyberattack, such as whether a company should acquiesce to the other side’s demands and what legalities they have to be aware of — because they are often dealing with significant time restraints.
There is no law on the books in Canada which says “thou shalt not make a ransom payment ever,” but Fasken counsel Clifford Sosnow noted there are “layers upon layers” of laws that a person must take into account before pulling the trigger on making a payment, such as trying to determine whether the money will be used to fund terrorist groups or be sent to a country which is facing Canadian sanctions.
“The key trigger here is whether you knowingly made payments to those organizations. And knowingly means you can’t just put your hands over your eyes, say you can’t wait and make the payment right away,” he said. “You need to step back and do some thinking as to what you have done which is reasonable to respond to those concerns. Knowingly simply means you’ve done whatever reasonable due diligence you can in the circumstances, and you have taken steps to identify who is on the other end.”
Sosnow’s colleague Darren Reed said from a legal perspective what he tries to do after a ransom incident is quickly get the right technical support in place and getting the right information to get an assessment of what has been taken and whether a ransom should be paid. But he added one thing he does not do is make a recommendation on whether to pay or not to pay.
“If we know it is part of an illegal act, we certainly can’t counsel an offence, but if at the end of the day it is inconclusive or likely to not be illegal, then that is a business decision on the part of the client who has to weigh the risks to them,” he said. “From a legal perspective I view my role as ensuring the client gets the right advice from the right places.”
But there is no guarantee that if you do pay you will get your data back, said Reed.
“It depends on how important the bad actors’ reputation is to them,” he said. “You may pay a ransom. It may not result in anything, in the sense that you might get decryptor keys that may not work and may lie to you and still release the information.”
And Sosnow said enforcement authorities generally take the view that a person or company shouldn’t pay a ransomware demand “because the more you pay the more you establish yourself as one who is willing to pay.”
“And from my perspective sooner or later you are going to hit a threat actor to whom payment is a violation of the law,” he said. “Even if you do get your data which has been unlocked, all of a sudden you have become an easier target the next time around.”
If you have any information, story ideas or news tips for The Lawyer’s Daily please contact Ian Burns at Ian.Burns@lexisnexis.ca or call 905-415-5906.
Ransomware cyberattacks involve the theft of data from a business or government, in which a company’s information is encrypted by malicious actors who demand payment for access to a decryption key which will unlock the data. Large-scale attacks have captured the attention of many people over the past few months, such as the Colonial Pipeline attack in May which crippled energy supplies in the United States for several days and led to a $4.4-million payment to restore the pipeline’s operations.
Stephen Mathezer, field chief technology officer and principal at cybersecurity company iON United, said there are two primary ways by which malicious actors gain access to a business network — either by figuring out names and passwords by stealing them from other websites or simply guessing at them, or the well-known phenomenon of “phishing” where an attacker sends a fake message designed to trick them into entering sensitive information or downloading malicious software onto their computer. From that point, they gain an initial foothold and then try to get administrator privileges on a computer or a network.
“Then it gets a little more interesting,” he said. “Attackers today especially are going to be looking for things like your ability to pay and what your most sensitive data is. They will also steal as much data as they can, delete backups as much as they can and then encrypt ransomware to your whole environment at once — and it will all happen very quickly.”
Mathezer’s comments came as part of a webinar on ransomware held by law firm Faskens on Nov. 30. And lawyers participating in the webinar noted that a complex web of considerations comes into play after a cyberattack, such as whether a company should acquiesce to the other side’s demands and what legalities they have to be aware of — because they are often dealing with significant time restraints.
There is no law on the books in Canada which says “thou shalt not make a ransom payment ever,” but Fasken counsel Clifford Sosnow noted there are “layers upon layers” of laws that a person must take into account before pulling the trigger on making a payment, such as trying to determine whether the money will be used to fund terrorist groups or be sent to a country which is facing Canadian sanctions.
“The key trigger here is whether you knowingly made payments to those organizations. And knowingly means you can’t just put your hands over your eyes, say you can’t wait and make the payment right away,” he said. “You need to step back and do some thinking as to what you have done which is reasonable to respond to those concerns. Knowingly simply means you’ve done whatever reasonable due diligence you can in the circumstances, and you have taken steps to identify who is on the other end.”
Darren Reed, Fasken
“If we know it is part of an illegal act, we certainly can’t counsel an offence, but if at the end of the day it is inconclusive or likely to not be illegal, then that is a business decision on the part of the client who has to weigh the risks to them,” he said. “From a legal perspective I view my role as ensuring the client gets the right advice from the right places.”
But there is no guarantee that if you do pay you will get your data back, said Reed.
“It depends on how important the bad actors’ reputation is to them,” he said. “You may pay a ransom. It may not result in anything, in the sense that you might get decryptor keys that may not work and may lie to you and still release the information.”
And Sosnow said enforcement authorities generally take the view that a person or company shouldn’t pay a ransomware demand “because the more you pay the more you establish yourself as one who is willing to pay.”
“And from my perspective sooner or later you are going to hit a threat actor to whom payment is a violation of the law,” he said. “Even if you do get your data which has been unlocked, all of a sudden you have become an easier target the next time around.”
If you have any information, story ideas or news tips for The Lawyer’s Daily please contact Ian Burns at Ian.Burns@lexisnexis.ca or call 905-415-5906.
