The motivation behind ransomware attacks is generally financial gain. The hackers ‘break into’ a network or system and ‘steal’ data, and then hold that data ransom until a fee is paid.
This most recent global attack was allegedly engineered using Kaseya, a US based managed service provider. Kaseya remotely maintains customer networks, allowing for automatic updates and remote software management. As a managed service provider, Kaseya pushes out updates to its customers. The updates are generally intended to ensure or increase cyber security for the customers however, as a result of the ransomware attack, malicious software was pushed out instead of software protecting the clients.
REvil has allegedly sought US$70million in ransom – the largest known ransom demand ever. The hackers have stated that if the ransom is paid, they will provide a universal decrypter, allowing the victims an easier and faster path to recovery.
As at 8 July 2021, it is not clear whether Kaysea will pay the ransom demanded.
In Australia, the Australian Cyber Security Centre is looking into the attack and its implications in Australia and can be contacted for assistance with respect to his attack.
Lavan Comment – Legal Implications
Not all ransomware attacks are on this scale. Many small and medium sized businesses have been attacked and ransoms demanded. It is a reminder that these attacks are on the scale of the large and the small, the sophisticated and the unsophisticated. Regardless, wherever they occur, they are problematic, time consuming and, in one way or another, an expensive distraction from core business.
Not only are there commercial implications which flow from ransomware attacks (including the potential payment of any ransom, and the reputation damage which can occur), but there are potentially other important legal implications.
For example if you or your firm has been the subject of a ransomware attack, it is important that you determine whether any data taken is a ‘notifiable data breach’ under the Privacy Act 1988 (Cth). You may be under an obligation to disclosure such a breach, regardless of whether the ransom was paid, and regardless of whether the data was returned/recovered.
Lavan has previously reported on some of the lesser-considered risks of ransomware attacks and how companies can best prepare themselves. These recommendations remain pertinent, and a link to the publication is here: https://www.lavan.com.au/advice/cyber-and-data-protection/ransom-attacks-be-prepared.
If you have any questions in relation to Cyber Security or would like advice on Cyber and Data Protection or Cyber Law, please contact Iain Freeman.