The Beginning of the End for Ransomware?

We kick off a jam-packed episode of the Cyberlaw Podcast by flagging the news that ransomware revenue fell substantially in 2022. There is lots of room for error in that Chainalysis finding, Nick Weaver notes, but the effect is large. Among the reasons to think it might also be real is resistance to paying ransoms on the part of companies and their insurers, who are especially concerned about liability for payments to sanctioned ransomware gangs. I also note that a fascinating additional insight from Jon DiMaggio, who infiltrated the Lockbit ransomware gang. He says that Entrust was hit by Lockbit, which threatened to release its internal files, and that the company responded with days of Distributed Denial of Service (DDoS) attacks on Lockbit’s infrastructure – and never did pay up. That would be a heartening display of courage. It would also be a felony, at least according to the conventional wisdom that condemns hacking back. So I cannot help thinking there is more to the story. Like, maybe Canadian Security Intelligence Service is joining Australian Signals Directorate in releasing the hounds on ransomware gangs. I look forward to more stories on this undercovered disclosure. Gus Hurwitz offers two explanations for the Federal Aviation Administration system outage, which grounded planes across the country. There’s the official version and the conspiracy theory, as with everything else these days. Nick breaks down the latest cryptocurrency failure; this time it’s Genesis. Nick’s not a fan of this prepackaged bankruptcy. And Gus and I puzzle over the Federal Trade Commission’s determination to write regulations to outlaw most non-compete clauses. Justin Sherman, a first-timer on the podcast, covers recent research showing that alleged Russian social media interference had no meaningful effect on the 2016 election. That spurs an outburst from me about the cynical scam that was the “Russia, Russia, Russia” narrative—a kind of 2016 election denial for which the press and the left have never apologized. Nick explains the looming impact of Twitter’s interest payment obligation. We’re going to learn a lot more about Elon Musk’s business plans from how he deals with that crisis than from anything he’s tweeted in recent months. It does not get more cyberlawyerly than a case the Supreme Court will be taking up this term—Gonzalez v. Google. This case will put Section 230 squarely on the Court’s docket, and the amicus briefs can be measured by the shovelful. The issue is whether YouTube’s recommendation of terrorist videos can ever lead to liability—or whether any judgment is barred by Section 230. Gus and I are on different sides of that question, but we agree that this is going to be a hot case, a divided Court, and a big deal. And, just to show that our foray into cyberlaw was no fluke, Gus and I also predict that the United States Court of Appeals for the District of Columbia Circuit is going to strike down the Allow States and Victims to Fight Online Sex Trafficking Act, also known as FOSTA-SESTA—the legislative exception to Section 230 that civil society loves to hate. Its prohibition on promotion of prostitution may fall to first amendment fears on the court, but the practical impact of the law may remain. Next, Justin gives us a quick primer on the national security reasons for regulation of submarine cables. Nick covers the leak of the terror watchlist thanks to an commuter airline’s sloppy security. Justin explains TikTok’s latest charm offensive in Washington. Finally, I provide an update on the UK’s online safety bill, which just keeps getting tougher, from criminal penalties, to “ten percent of revenue” fines, to mandating age checks that may fail technically or drive away users, or both. And I review the latest theatrical offering from Madison Square Garden—“The Revenge of the Lawyers.” You may root for the snake or for the scorpions, but you will not want to miss it.