There is a new ransomware making the rounds that offers victims a Hobson’s choice: Popcorn Time ransomware. This ransomware gives the victim a choice: either pay the ransom amount to gain access to his or her data, or choose to pass the ransomware on to two unsuspecting colleagues. This latest twist on the already mischievous and inconvenient ransomware puts victims into an ethical dilemma, according to an article in ComputerWorld. Victims can either remain victims and pay to gain access to their compromised data, or can become a cyber attacker themselves and pass on the ransomware to others.

Ransomware is a form of malware that is rapidly becoming a popular means for cyber thugs to compromise data and extort money from victims. Ransomware encrypts or locks a victim’s computer data and does not permit the victim to have access to the data unless the victim pays a demanded ransom or does a specific action, such as passing the ransomware on to others.

How the Popcorn Time Ransomware Works

When a victim receives the Popcorn Time ransomware, a pop-up appears on the victim’s computer screen. The pop-up gives the victim two options:

• The “Fast and Easy Way” to deal with the ransomware. The “fast and easy way” to deal with the ransomware is to pay the requested ransom amount in bitcoin. Victims are given a wallet address to send the bitcoin payment. Once you make the payment, victims will receive a decryption key for their encrypted data.
• The “Nasty Way” to deal with the ransomware. Alternatively, the victim can deal with the ransomware by forwarding the ransomware link to two other people. If two or more people install the ransomware on their computers, the original victim will receive a decryption key for their encrypted data.

The ransomware comes with a backstory. The collective of hackers responsible for the ransomware claim to be a group of Syrian refugees who are only extorting money from victims in order to support themselves. However much of that is true is a mystery.

Ransomware is a Serious Cybersecurity Problem

Ransomware is poised to be the next major challenge in cybersecurity. It affects individual computers or systems, which can be crippling for the victim. If your personal computer is affected, you could lose access to your important data, pictures, files, and more. If a business computer is affected by ransomware, it could halt the business altogether and bring the company to its knees.

The Legal Landscape of Ransomware: Liability, Reporting, and Paying

Ransomware attacks present some of the most complex legal questions in cybersecurity law. A business hit with ransomware must navigate potential notification obligations, government reporting requirements, the legality of paying the ransom, and civil liability to affected parties — all simultaneously, often under significant operational pressure.

Does Ransomware Trigger Data Breach Notification Requirements?

One of the first legal questions a ransomware victim must answer is whether the attack constitutes a “breach” that triggers data notification obligations. The answer depends on whether personal information was “accessed” or “acquired” by an unauthorized party — terms that vary in meaning across state notification statutes.

For HIPAA purposes, the Department of Health and Human Services has taken the position that a ransomware attack on a covered entity’s systems is presumed to be a breach of protected health information unless the covered entity can demonstrate that the data was not accessed or exfiltrated, only encrypted. Under this standard, a covered entity that suffers a ransomware attack must conduct a risk assessment to determine whether the attack rises to the level of a reportable breach, and must notify unless it can demonstrate that there is a low probability that PHI was compromised. Given that modern ransomware frequently involves data exfiltration prior to encryption — a technique known as double extortion — this determination is increasingly difficult to make definitively.

Under state notification statutes, the analysis similarly turns on whether personal data was acquired or accessed without authorization. Most state statutes are triggered by unauthorized acquisition of personal information — meaning the statute applies when data was copied, transmitted, or extracted, not merely encrypted in place. In a ransomware attack where data was only encrypted and not exfiltrated, some states may not require notification. However, given the prevalence of double extortion ransomware, businesses can rarely be confident that data was not exfiltrated without a thorough forensic investigation.

OFAC Sanctions and the Legal Risk of Paying Ransoms

Paying a ransom to a ransomware attacker creates an independent legal risk: potential violation of U.S. sanctions law. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) administers sanctions programs that prohibit transactions with designated individuals, entities, and countries. OFAC has designated multiple ransomware groups — including Evil Corp, Chatex, and SUEX OTC — as Specially Designated Nationals (SDNs).

A business that pays a ransom to a sanctioned ransomware group may be in violation of OFAC regulations regardless of whether the business knew it was dealing with a sanctioned actor. OFAC’s strict liability standard means that intent is not required for a violation — the payment itself is the violation if the recipient is designated. Civil monetary penalties for OFAC violations can reach the greater of $368,136 per transaction or twice the value of the transaction at issue.

In October 2020, OFAC published an advisory warning that ransomware payments to sanctioned actors or to actors in sanctioned jurisdictions violate OFAC regulations, and that facilitating such payments — including by insurance companies, financial institutions, and incident response firms — also creates OFAC exposure. This advisory significantly complicated the ransomware response calculus for businesses and their advisors.

The Legal Consequences of Passing Ransomware to Others

The Popcorn Time ransomware’s “nasty way” — infecting two other people’s computers to obtain a decryption key — is not merely ethically problematic. It is a federal crime. A person who intentionally transmits malware to another person’s computer without authorization violates the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The CFAA’s transmission provision, 18 U.S.C. § 1030(a)(5)(A), prohibits knowingly causing the transmission of a program, information, code, or command that intentionally causes damage to a protected computer. Violating this provision is a felony carrying up to ten years imprisonment for first-time offenders.

A victim who chooses the “nasty way” cannot claim coercion as a defense — the Popcorn Time scheme provides a choice, even if the choice is designed to be exploitative. Transmitting ransomware to recover a decryption key would likely be prosecuted as a knowing and intentional transmission of malware under the CFAA, and the victim would face federal criminal charges independent of the original attacker.

Ransomware and Cyber Insurance

Cyber insurance policies typically cover ransomware-related losses, including the cost of incident response, business interruption losses, data recovery costs, and in some cases the ransom payment itself. However, coverage disputes have become increasingly common as ransomware losses have grown. Insurers have argued in some cases that ransom payments to sanctioned actors are uninsurable as violations of law. Courts have generally allowed coverage for ransom payments, finding that the insured did not have knowledge at the time of payment that the recipient was a sanctioned actor, but the coverage landscape continues to evolve as OFAC and insurers adjust their positions.

Contact a Cybersecurity Lawyer

Ransomware creates immediate and serious legal exposure. If your business has been hit with ransomware, contact the experienced data breach attorneys at Revision Legal as soon as possible. We can help you navigate notification obligations, evaluate the risks of paying or not paying a ransom, and manage regulatory and litigation exposure. Contact us using the form on this page or call us at 855-473-8474.