Why Not Hold Ransomware Attackers Hostage for a Change?
Right now, companies are, for the most part, sitting ducks when it comes to ransomware. Sure, they can do things to harden their security; mitigate the problems of phishing and malware, back up their data for ultimate recovery and enhance their incident response program.
There are also some things they can do to make their environment less vulnerable to ransomware, including internal segmentation, heterogeneity and virtualization. They can also take certain actions aimed at ransomware inoculation or dissection—to convince the ransomware not to lock the files, or to unlock the files themselves.
From a legal perspective, ransomware prevention has focused on requiring those entities connected to data or on the company’s supply chain to take reasonable steps to prevent or mitigate ransomware, having contracts or agreements with cryptocurrency providers, threat intelligence companies, forensic investigators, or other IT providers (e.g., backup and restoration) to be prepared for ransomware and to have comprehensive insurance that covers data restoration and recovery, ransomware and extortionware and ransomware payments and related costs.
Other “legal” things a company can do are establish relationships with the FBI and other law enforcement agencies (wherever you do business), ensure that you are complying with money laundering and money transfer agent laws and regulations and apply for any licenses that might be required by the Treasury Department’s Office of Foreign Asset Control (OFAC) to permit ransomware payments. A prepared company will have engaged appropriate public relations and crisis management companies to help limit the impact of either ransomware or extortionware. Finally, a general counsel should also look into the specific laws and regulations concerning ransomware or extortionware prevention and response (including laws like privacy, negligence and contractual requirements, etc.) that apply to the industry and locality. All pretty standard stuff.
But what happens in the case where you are able to identify—either by name, location, computer, IP address, MAC address or otherwise—the individual(s) responsible for the ransomware, extortionware or electronic demand for payment? Right now, a ransomware victim has few options. One: Pay the ransom. Two: Don’t pay the ransom and restore/rebuild. Or, three: Choose option one or two but work with law enforcement in the hope that the perpetrator will be caught and prosecuted. The real-world law offers another option. A form of self-help, you could say. Why not ransomware the ransomware purveyors?
In many cases, the law permits what is called “prejudgement attachment.” In a prejudgement attachment, a litigant making a claim against a person, property or money can—with appropriate supervision—simply “take” the thing they want pending the ultimate outcome of the case. This is particularly true where the item will tend to dissipate or was obtained by fraud.
In a prejudgement attachment case, the person seeking the remedy will apply to a court, (with or without notice to the other party) explain why they think they are entitled to both the ultimate remedy and a writ of attachment (why they can’t wait until the end of the case to get a judgement). Thus, a plaintiff can either take money from someone’s bank account or simply order that the bank account be locked while the case proceeds to prevent the defendant from dissipating the asset (take the money and run).
To prevent abuse of this power, the court can (and often does) require the party seeking prejdgement attachment to post bond—put up some money or collateral—to pay damages to the party whose assets have been attached—in case it is determined that they are not entitled to the remedy. So, the core elements of prejudgement attachment are: One, a showing of a right and the need to get the remedy now; two, a court order and three, a posting of bond for damages if you are wrong.
Now, let’s apply this basic premise to ransomware/extortionware. One unusual aspect of ransomware and extortionware is that the threat actor must, by definition, communicate with the victim. That’s how they get paid. The communication may be direct (e.g., IRC chat) or indirect (e.g., the ransomware simply displays a cryptocurrency wallet into which ransom must be paid). Even where there is an indirect communication with the threat actor, at some point, the threat actor should (hopefully) either unlock the files (remotely?) or provide the unlock keys. Again, these are points where the threat actor (or their machines) might be identified. A ransomware/extortionware victim engages a threat intelligence company or forensic company to identify the IP address or other identifying information about the threat actor. Maybe it actually is the threat actor (unlikely) or maybe it’s an IP address used as a proxy for a proxy for a TOR for a VPN for a proxy. Who knows? But some electronic source or facilitator is identified.
This is where the “prejudgement attachment” comes in.
The ransomware victim would apply to a court for an order permitting prejudgement attachment of the electronic space. Just as you can “seize” and “lock” a bank account, the court would permit the victim, upon making a specific showing and posting an appropriate bond, to—on their own—lock up the thing/place/domain/account that was responsible for or facilitated the ransomware attack. In essence, use ransomware to prevent access to the domain/account. The promulgation of the ransomware attack, which would ordinarily violate the computer crime statute (18 USC 1030) would be permitted because of the court order and supervision, just as freezing or taking a bank account under prejudgement attachment is not theft. The “defensive ransomware” would include a simple and direct mechanism for its removal. It would say something like, “This domain/account has been ordered seized and locked by the United States District Court for the District of Whatchamacallit. To unlock this domain, provide your name, address, phone number, photograph, DNA sample, etc., to the clerk of the court at [email protected]. If the website or domain or account that is “locked” is that of an innocent third party, the entity that did the locking will be liable for damages, but those damages can be mitigated by a simple procedure for unlocking.
The idea is, once you show that an entity is facilitating ransomware, you can lock it remotely, forcing them to at least reveal themselves enough to request an unlock. It’s a form of controlled self-help with a remedy for those impacted. The requirement of bond and payment of damages will limit (maybe) the abusive use of this tool and encourage any tools developed for this form of offensive cyberwarfare to be properly controlled and narrowly targeted. The same is true for the ability to rapidly unlock an improperly locked device, data, domain, etc.
It’s not a panacea, but it is a start. A tool. And it’s slightly better than sitting around waiting for the ransomware attacker to unlock you. It provides judicial oversight, remedies and self-help. And, of course, the satisfaction of demanding ransom from the bad guys.
