Ransomware with Terms of Service

So you thought only companies like Microsoft and Google had terms of service. Apparently that is not the case.

I keep talking about the horror that ransomware 2.0 is with hackers stealing the data before they encrypt it and threatening to publish the data if you don’t pay.

That means backups alone are not sufficient to protect you.

Now one of the first players to use ransomware 2.0 against victims is upping the ante by creating terms of service like a legitimate software provider.

Here are their terms:

  • If you do not respond to their attack within 3 days, they will publish that you have been hacked on their web site. They say that if you don’t start communicating within 3 days, you only have yourself to blame.
  • They say that negotiating means dialog and finding the “best” solution for both parties. If the “client” is too shy, scared or just can’t negotiate, that is, they say, exclusively the client’s problem.
  • They say that if you can’t figure out how much it is going to cost you to recover without them, they will help you. It will cost you over 10 million dollars. Not sure how they came up that number, but there you go.
  • If the “client” fails to start communication, they will start to publish the data. After 10 days they will publish all of the data. I suspect this is due to victims stringing them along. Maybe they figure that if they are not going to get paid, causing pain may get other people to see things differently. If you see your competitor’s data laid out on the Internet and you get hit, you are more likely to pay, probably.
  • Once they start publishing the victim’s data they will start notifying regulators, customers of the victim and partners of the victim. Every state has a privacy law. If the data that they publish includes personal data of California residents, you can almost guarantee that you will get sued.

All of this likely is to try and put a lot of pressure on victims to pay. As companies improve their backups and business continuity programs, they have been less likely to pay, even though many high profile companies have paid, many of them silently. Many of them have paid millions of dollars each.

Ultimately, you need to do your best to keep the hackers out. That is the best solution. If you need help, let us know.

Here is a screen shot of their terms of service. I am not clear if their bad English is a scam – likely it is, so just ignore that.

Leave a Reply

Your email address will not be published.