Tag Archives: Ransoms

The Challenges of Ransomware 2.0

The Finland-based psychotherapy group Psychotherapy Center Vastaamo may need some therapy itself.

They claim that in late 2018-early 2019 hackers broke into their network.

Just this month it has come out that the company, which has 20+ offices and 300 or so shrinks may have lost the data of 40,000 patients, some of whom are high profile. The hacker(s) tried to blackmail the company to the tune of about a half million bucks, but they did not bite.

So the hackers posted the clinical files of 300 patients on the dark web as a threat and then started extorting more patients to pay a ransom of between 200 and 500 Euros not to publish their file.

The Finnish version of the FBI says don’t pay the ransom.

That is kind of easy for them.

What people tell their therapists is sometimes not great for public consumption.

It can get you fired.

It can get you divorced.

It can end your political career.

Some people even commit suicide.

It can cost you tens if not hundreds of thousands of dollars, so paying a 500 Euro bribe, even if you are not sure that it will protect you, may seem reasonable.

I asked one of my friends at the FBI what his thoughts are and I will update this post when I hear back.

Some people will decide that it is not worth the risk and not get mental health support or other treatments. Or not tell their medical professional the truth or the whole truth.

It certainly is worthwhile asking about security, but the likelihood of getting an honest answer is almost zero. After all, doesn’t every company say they care about your data? After they get hacked.

Until the financial equation changes it is unlikely that the problem will be solved. In part, this is due to the fact that strong security is inconvenient. In this case, this is a GDPR violation and it covers sensitive data, so they will likely be fined a lot.

I am not sure what it will take.

The Defense Department has one strategy. They are beginning to require that their contractors be certified by a third party. No certification, no contract. That seems like it could be effective. Credit: The Register

Is It Okay to Pay a Ransomware Demand?

The FBI has said for years that paying a ransomware ransom was a bad idea. It encourages the bad guys and funds their bad guy activities.

But last week the decision became harder when the Treasury department said that they were going to add ransomware organizations that are connected to terrorist organizations to the list of companies that Americans are not allowed to do business with, called the Specially Designated Nationals or SDN. This list is managed by OFAC, the Office of Foreign Assets Control.

By doing this, it makes paying ransom to these organizations a federal crime, punishable by up to 20 years in jail and/or a $1 million fine or civil penalties of up to $55,000.

The penalties can be levied against companies trying to get their systems back, law firms, insurance companies, banks, security service providers or anyone else who is in the food chain between the hackers and the victims.

While most people understand that paying ransom is not a good idea, if the choice is between paying the ransom or watching your firm close, many companies hold their noses and pay the ransom. A recent survey of 5,000 IT pros found that 26% did pay a ransom; virtually all of them got their data back. Company execs have to keep its customers, employees, investors and the general public. Not an easy call to make.

One of the challenges if you do plan to pay the ransom and do not want to spend the next 20 years as a guest of Uncle Sam (which is unlikely, but possible), is how do you figure out whether the particular hacker that you are paying is on the Specially Designated Nationals list. After all, they don’t exactly give you their Social Security Number to look up.

Another challenge that executives face is ransomware 2.0 – the version of ransomware where the hackers steal your data and threaten to publish or sell your information if you don’t pay the ransom. There is no good defense against this form of ransomware.

Most insurance policies have a clause that says that they will not facilitate a crime, so if it is determined that paying the ransom may be a crime, most insurance companies will decline to do that.

However, that doesn’t get the insurance company off the hook – they still need to make you whole, even if doing so if more expensive for them.

Now would be a good time to talk to your insurance provider and ask them how they plan to handle this situation. In the case of OFAC, even if you break the law unintentionally, you are still guilty. The burden of proof is on you.

The feds would like you to share the information about ransoms that you paid, but for many companies, the main purpose of paying the ransom is to keep things quiet. Even if doing so is illegal, which most of the time, it is (illegal). Telling the FBI that you paid a ransom and didn’t notify either the authorities or the victims does not seem like a plan that would be viewed favorably by law enforcement.

We are seeing a lot of attacks against healthcare. Forcing hospitals, for example, to shut down or divert ambulances can cause patients to die. In addition, even if the hospital can continue to operate, its operations will always almost cause care to patients to be degraded, even though the hospitals will say everything is fine – because they do not want to be sued. All of this in the time of the worst pandemic in 100 years.

Unfortunately, other than keeping the hackers out, there are no good answers. I recommend working hard to keep the hackers out. Credit: The Record