To Pay or Not to Pay: Responding to Ransomware From a Lawyer's Perspective
Beth Burgin Waller
Ransomware has grown an additional gnarly tentacle: data extortion. It was gruesome enough with threat actors encrypting data in place but has morphed and added data extortion to the mix. Cases are emerging with a two-part payload of data encryption and data extraction, where data is encrypted in place while a small portion of unknown data is ferried offline under the threat of publication. (Or, in the case of cybercriminal organizations such as the now defunct Maze group, actual publication of a portion of the data — with threats to publish more on the way.)
In previous ransomware scenarios, an organization just had to decide whether to pay a ransom to get the key to unencrypt the data. But now it must consider making what is essentially a "forever promise" with a criminal organization. The threat actors are demanding payment in exchange for alleged proof that they deleted the data. In practice, they are saying "trust us" to delete data that they previously threatened to publish. It's not a great situation to find yourself in.
Having lived through this several times with my clients, I have learned some immediate tactical...