Should organizations extorted by ransomware gangs pay their attackers?
It’s a question that cuts to the heart of ransomware response. Some take what might be viewed as a pragmatic stance and say there is no right or wrong answer, and organizations should be free to make their own decision.
On the other side is a growing chorus—including from government agencies such as the FBI and a handful of U.S. states that want to outlaw payments—who take the opposite view, arguing that giving in simply fuels more attacks in the long run.
Now an extraordinary legal case has added a new twist—a victim whose private data was breached during a ransomware attack is suing an organization to force it to pay the attackers against its will.
The attack by the Russian BlackCat (or ALPHV) gang on Pennsylvania-based Lehigh Valley Health Network (LVHN) happened in February, after which the organization said it had refused to pay a ransom later revealed in a legal statement to be in excess of $5 million.
But this was no run-of-the-mill data breach; among the personal data stolen during the attack were naked photographs of 2,760 patients being treated for breast cancer, some apparently searchable by name.
In addition, the leak also published social security numbers, driver’s license numbers, questionnaires, medical diagnoses, lab results and even passports revealing patient identities.
Predictably, these were subsequently leaked to the dark web, presumably to draw attention to the organization’s refusal to pay the ransom. A terrible outcome all around, but this is where the issue of LVHN’s non-payment became more fraught.
After being told she was one of those whose images had been leaked, a patient identified only as ‘Jane Doe’ is now suing LVHN to compel it to pay the ransom in a bid to have the images removed from public view. As her lawyer told the Wall Street Journal:
“She’s afraid [people] are going to show up at her place of employment, someone is going to put together that it’s her, download them, joke about it at work. She is going to have this in the back of her mind as long as these images are on the internet.”
“Every day this case remains unresolved is another day that nude images of (Jane Doe) and other class members remain available for download from the dark web. Indeed, the hackers have indexed the data and it can be searched using patient and/or employee names.”
The case uncovers a lot for the lawyers to argue over, including the contentious issue of whether the images should have been taken and stored at all.
However, on the specific issue of forcing LVHN to pay the ransom, the suit looks to be on shaky ground. As The WSJ points out, paying a would likely breach 2021 advice issued by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC). The fact that the payment would be to a Russian threat actor only reinforces this.
More fatalistically is the fact that once images have been leaked, they can’t be retrieved, even if a ransom payment were to be made. There is no way of telling whether paying earlier would have avoided the images being leaked at some point. But now that they’re in the public domain, the issue is moot.
This is the hidden cost of breaches that can persist for years or decades after an incident: data only needs to be stolen once to be stolen forever.