Public statements around the REvil hacking have thrown up questions
As we all know, cyberattacks are the preserve of criminals and should be discouraged. People have found themselves in jail because of the attacks they carry out against key IT infrastructure around the world. But just how serious a crime is hacking into someone’s network?
The question is being posed – and potentially answered – by the case of REvil. The hacking group claims to have stolen 756 gigabytes of data from law firm Grubman Shire Meislas & Sack, including details of contracts signed by the likes of Madonna, Bruce Springsteen, Run DMC, and Donald Trump – the current president of the United States.
The REvil group set a deadline to pay $21 million in ransom to unlock the files and delete them in mid-May, which has now passed, and the new amount the law firm is expected to pay if they don’t want the data released has doubled to $42 million.
Lady Gaga data released to show they mean business
To show the hacking collective meant business, they released around two gigabytes of data relating to contracts signed by pop star Lady Gaga, and threatened the release of further information if the ransom wasn’t paid.
“There's an election race going on, and we found a ton of dirty laundry on time,” the group wrote on the dark web. “Mr Trump, if you want to stay President, poke a sharp stick at the guys, otherwise you may forget this ambition forever.”
“To you voters, we can let you know that after such a publication, you certainly don't want to see him as President. Well, let's leave out the details. The deadline is one week.”
The inclusion of Trump’s information – and the threat to release it if the ransom isn’t paid – has potentially triggered an upping of the stakes.
A crime, but how big a crime?
Illegally accessing servers and networks and stealing data from them to extort the original owners is a crime by anyone’s estimation. But the question being asked now – and one raised by the law firm that fell victim to the hack attack – is how serious a crime is it?
A spokesperson for the company said that “The leaking of our clients' documents is a despicable and illegal attack by these foreign cyberterrorists who make their living attempting to extort high-profile US companies, government entities, entertainers, politicians, and others.”
Describing the hackers as terrorists, after liaising with the FBI, was a major move, and one that potentially ups the risks for the hackers, if they were caught. Both sides now appear in an intractable stand-off.
“We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law," the spokesperson added. "Even when enormous ransoms have been paid, the criminals often leak the documents anyway."
Terrorist threats fly, then are rescinded
It appears the law firm may have been overegging the impact as a result of the insult and injuries caused. While the statement they made was released after the company spoke to the FBI, the law enforcement agency itself said that the hackers wouldn’t meet the definition of terrorists in their mind.
“Unless the FBI determines the Ransomware was deployed by a designated terrorist organization or nation state, the FBI treats Ransomware investigations as criminal matters,” the statement read.
Regardless, some have seen the argument the other way. If a group is threatening to release information incriminating to the most powerful man in the world, and an elected politician, is it not a terrorist threat? At what point does Donald Trump cease being an individual and instead become a figurehead for a state? If the hackers are ever identified and arrested, law courts could soon find themselves tussling with those questions.