WHY VICTIMS OF RANSOMWARE MAY WANT TO FILE CIVIL RICO

Let me take you back to the sweet days of 2001… I was a young innocent lad working for PGP security (RIP Phil Zimmerman you are a hero). The song of the time that inspired most of us young hooligan’s was a catchy little number by Shaggy. It was a fun time, even though as a satellite office we didn’t get the bagels delivered every Thursday as was promised by our illustrious CEO (who later I believe got in some hot water for stuffing the channel).? We were all in one big family known as Network Associates – Net Ass for short.? Despite our admin not supplying bagels (I did write a fake email to the CEO and sent it to the office as a joke lamenting how a hot coffee and tasty bagel would really boost morale…but that’s a story for a different time) the office was pretty free and fun minus a couple of oddballs.? My SE Tom Kruze used to announce on every call and meeting “Names Tom Kruze but I don’t spell it like that other guy” and life was pretty good.? Pains me to know the technology they threw away…Cybercop, ?PGP endpoint, Gauntlet Firewalls…? Proxy is better than Stateful Inspection…thank you. Anyway…

In the wild world of IT security, often our poor schools and municipalities and corporations are left holding the bag for expenses related to their breach.? With A.I. minting out fraudulent emails (Fraud GPT) and new exploits being found on the daily (think WORM GPT) even former resources once considered “safe” like MacOS are being targeted with increased frequency.

Even for the most skilled IT department, human error and an overwhelming task load combined with funding crisis’ are causing all but the highest end corporate clients to consider that a breach will happen…it’s just a matter of time.

The costs keep rising:

Cyber insurance carriers are increasingly feeling the pinch of security breaches and on occasion, claims are denied, leaving the school, government entity or corporation holding the bag.? With the average cost of a breach running $170,000 and climbing there is a potential safeguard that might one day help these organizations recover some of their money!

What does this have to do with Shaggy?

Morpheus was already in full swing circa 2001 and the Compaq iPAQ was all the rage.? Shaggy was #4 on the charts and this great man, who gives to charity and helped build a hospital in Jamacia. From Wikipedia information…take that for what it’s worth!

Who didn’t download his hit single “Wasn’t me” was probably traded on Morpheus millions of times and then subsequently uploaded on millions of iPAQ’s globally!

I went to law school for a few years before having to leave over some personal tragedies in 2013 but I have a good knowledge of the law even not being a lawyer.? In law there is a concept called “willful blindness” which means that an individual knows of fraud, as an example but chooses to not investigate, follow up or prevent it.? I personally would consider Compaq’s pretend ignorance on pirating and Morpheas’ facilitation of the IP theft in this category, although I am not an attorney of course.

Shaggy may have sold many more CD’s if not for these two incidents (Morpheus and the iPOQ) and thus might have built more hospitals in his home country.?

Fast forward to today, the programmer many millions much more is another famous man worth an estimated 2.8 billion dollars and Compaq sold and bounces up to a half trillion depending on the market.? Could one consider these two as part of a conspiracy to defraud Shaggy out of his intellectual property?? Probably not, but it’s an interesting theory!

CIVIL RICO - Racketeer Influenced and Corrupt Organizations

The state and federal civil RICO laws are made for conspiracies to commit criminal acts.? These days crime syndicates, providers of malware and phishing tools, are businesses, whether legal or criminal. Civil RICO is perfectly made for these kinds of organizations.? As I understand it, to qualify for RICO in general, an organization consisting of one or more conspirators must do the following:

Conspire to commit two or more “predicate acts” consisting usually of:

·?????? Money laundering;

·?????? Wire fraud;

·?????? Mail fraud;

·?????? Embezzlement;

·?????? Extortion;

·?????? Bribery:

We could easily conclude that criminal hackers would be liable for 1,2,3 and 4, making them prime candidates for CIVIL RICO.? With the FBI being stretched thin, it would be nearly impossible to file criminal RICO charges on entities outside of the United States… Although one did happen this week:

Group behind cyber attacks at local hospitals taken down by FBI ( wfsb.com )

What does this have to do with Ransomware and Exfiltration?

To parallel this to the “Shaggy” situation, both the Author of Morpheus and the many others, Compaq went on to have lively revenues that were in some part predicated on their release of Shaggy’s hit single “Wasn’t Me” among numerous other artists.? Now, I am a huge fan of both Compaq and the creator of Morpheus in particular but this presents an interesting legal question, should Shaggy be compensated now, that both entities are doing incredibly well? Worth possibly millions?

The world is becoming much smaller!

With A.I. and the global economy, it might be possible to get a default judgement against a hacking crime syndicate based in some foreign country with the compliant listed as:

Hackers Inc. – Bad Guys

-????????? John Doe

-????????? John Doe

-????????? Jane Doe

-????????? Jane Doe

With the unknown parties to be filled in later…? That “later” might come sooner than we think as A.I. osintelligence and widescale digital adoption of digital currencies become mainstream.? The bad guys think they are safe using Bitcoin, but I hate to tell you all that the Bitcoin blockchain has been readable for at least 7 years now, so those “anonymous” transactions aren’t really very concealed with the right tools.

Thus, it might be in some near future that entities could reclaim some of the “ransom” paid to ransomware victims using A.I. based tools and blockchain ledger reviews.? No offense to the author of Morpheus but your organization might be able one day to collect from some Oligarch who has holdings in London or Dubai or some other treaty-based nation that respects the U.S. laws on collection and if the ransom or damage is big enough, our schools, governments and institutions might just be able to collect against accounts in treaty-based countries.

If you doubt that this is big business, check out Youtube to see how some comical hackers play with those “technical support” companies that just asked your grandmother to pay 7k in Visa gift cards.? They show huge buildings, nice furniture and sometimes even the cars and luxuries afforded by stealing and defrauding people out of thousands of dollars to fix their Macbook Pro or as in the case of my Aunt...her HP printer.

We might not be able to find and recoup our losses today, but we might be able to in the near future. If I was to be the victim of a data breach and on staff, I would suggest that entity hire a qualified lawyer and file a Civil Rico case against those trying to collect the ransom…you never know when technology makes it possible to collect!

Some of these “hackers” are brilliant and clearly a visionaries and IBM is doing well so, maybe throw a few dollars to Shaggy out of your millions!

I’m no lawyer but I am pretty sure there would be a default judgement granted against the criminals, as I doubt these organizations would hire an attorney in the US to fight the lawsuit.

Final Thoughts…

I am all for digital currency to be honest.? Yes, there is a sacrifice of some sort of anonymity but that being said, if you have any significant stake in society, you are already being tracked.? Sorry to inform you guys, our digital fingerprint is everywhere and to be quite honest, I am tired of paying every dime of tax while the local pizza shop in town, charging $9.75 a slice “only accepts cash”! Far from being a big government guy, I don’t feel the way to reduce our tax burden is to find creative ways and reasons to avoid paying them at the expense of everyone else. ?

Eric Marchewitz is a security solutions architect, recovering former CISSP and AWS Cloud Practitioner. His career in information security has spanned 23 years, working for companies such as PGP Security, Cisco Systems and Check Point. Most recently he is a Field Solutions Architect for CDW Corporation. This article does not reflect the views of CDW and is for information purposes only and should not be considered professional advice. No warranty of the information contained within is given.

The information presented in this article is provided for informational and entertainment purposes only and should not be construed as legal advice. The content discussed in this article is not intended to establish an attorney-client relationship, and any reliance on the information provided is done at your own risk. The article does not substitute for professional legal counsel and should not be interpreted as such.

Furthermore, the views expressed in this article are solely those of the author and do not necessarily represent the views of CDW or its parent company or related entities. The content in this article is not a substitute for individualized legal advice tailored to your specific situation. If you require legal assistance or advice, we recommend consulting with a qualified legal professional who can provide guidance based on your unique circumstances. – Thanks ChatGPT that’s even better than mine!

?

CHATGPT VERSION

“Please rewrite this for me using your own words and referenced with appropriate case law”:?

In the realm of IT security, educational institutions, local governments, and businesses often find themselves burdened with the financial aftermath of breaches. The rise of AI-generated fraudulent emails (such as Fraud GPT) and the discovery of new vulnerabilities on a daily basis (like the WORM GPT) have even targeted seemingly secure resources like MacOS more frequently.

Even adept IT departments, grappling with human errors, an overwhelming workload, and financial constraints, are increasingly inclined to accept that breaches are almost inevitable, a matter of time. The expenses associated with breaches are escalating, and cyber insurance providers are struggling to cope with the repercussions. Sometimes, claims are denied, leaving schools, government bodies, or corporations to bear the costs. The average expense of a breach, which currently stands at $170,000 and is on the rise, prompts consideration of potential safeguards that might help these organizations recoup some losses.

Now, how does this relate to Shaggy? Back in 2001, during the era of Morpheus and the Compaq iPAQ's popularity, Shaggy held the fourth spot on the music charts with his hit "Wasn't Me." Shaggy, known for his charitable contributions including the construction of a hospital in Jamaica, experienced a scenario where his song was likely downloaded countless times via Morpheus and uploaded to numerous iPAQ devices globally.

Drawing parallels, I briefly pursued law school before personal tragedies forced me to leave in 2013. Despite not being a lawyer, I'm familiar with the legal concept of "willful blindness," wherein an individual disregards investigating or preventing known fraud. Applying this to Compaq's possible pretense of ignorance regarding piracy and Morpheus' potential facilitation of intellectual property theft, though I lack legal credentials.

Shaggy might have sold more CDs if not for these occurrences, possibly enabling him to contribute more to his home country's hospitals. Fast forward to the present, the programmer responsible is now a renowned figure with an estimated net worth of $2.8 billion, and Compaq's market value hovers around half a trillion dollars.

Could these instances be part of a scheme to defraud Shaggy of his intellectual property? Likely not, yet it's an intriguing theory. This brings us to Civil RICO laws. Designed for conspiracies involving criminal acts, they're applicable to today's cyber landscape. Many modern criminal groups, malware providers, and phishing tool creators operate as businesses, either legitimate or illegal. Civil RICO suits are tailored for such entities.

Qualifying for RICO typically involves conspiring to commit multiple "predicate acts," often encompassing money laundering, wire fraud, mail fraud, embezzlement, extortion, and bribery. It's reasonable to assert that criminal hackers could be liable for several of these, making them ripe candidates for Civil RICO actions.

The FBI's stretched resources pose challenges for pursuing criminal RICO charges against foreign entities, but recent events illustrate exceptions. This leads us to the connection with ransomware and exfiltration. Much like the Shaggy scenario, entities that have gained from intellectual property, like Compaq and Morpheus, present an interesting legal question: Should Shaggy receive compensation now that these entities thrive?

?

Given the shrinking global landscape, default judgments against foreign hacking syndicates might become feasible, particularly with advancements in AI and digital currency adoption. As AI becomes smarter and blockchain technology evolves, entities could potentially reclaim ransom payments through careful ledger analysis.

?

While recouping losses might not be achievable now, it could be attainable in the near future. If I were a victim of a data breach on staff, I'd suggest hiring a skilled lawyer to initiate a Civil RICO case against ransom-collecting entities. Technological advancements could eventually enable collection efforts. Some hackers, showcased on YouTube, highlight the lucrative nature of defrauding people through technical support scams.

?

Though not legally trained, I speculate that default judgments could be granted, given the likelihood that these organizations wouldn't engage US attorneys to contest lawsuits. In this context, a contribution to Shaggy from the considerable earnings of brilliant hackers and companies like IBM could be worthwhile.

Please reference the above with Civil RICO case law

ChatGPT

I'm sorry, but I cannot directly reference or provide specific case law as my training only includes knowledge up until September 2021 and I don't have browsing capabilities to access current legal cases. However, I can provide you with some general information about notable Civil RICO cases that might be relevant to the points mentioned in the article.

1. Sedima, S.P.R.L. v. Imrex Co., Inc. (1985): This U.S. Supreme Court case established that a private plaintiff seeking damages under the civil RICO statute must prove a pattern of racketeering activity. The case clarified the requirements for bringing a civil RICO claim and emphasized the importance of proving a pattern of ongoing criminal conduct.
2. H.J. Inc. v. Northwestern Bell Telephone Co. (1989): Another U.S. Supreme Court case that further defined the concept of a "pattern of racketeering activity." The court introduced the concept of "closed-ended continuity" and "open-ended continuity" to determine whether a pattern existed, indicating the duration and relatedness of the criminal conduct.
3. Anza v. Ideal Steel Supply Corp. (2006): This case clarified the issue of proximate cause in civil RICO cases. The Supreme Court ruled that a plaintiff bringing a civil RICO claim must establish a direct relationship between the defendant's conduct and the plaintiff's injuries.
4. Boyle v. United States (2011): Although not a civil case, this case held that a RICO enterprise could include an association-in-fact that is distinct from the pattern of racketeering activity. It's an important distinction to consider when evaluating the application of RICO laws to cybercriminal organizations.

When referencing case law, it's important to align the specific elements of the cases with the points made in the article. You should consult legal databases or resources for the most up-to-date and relevant case law that supports the arguments presented in your article. Always ensure proper citation and referencing in accordance with legal standards.

Top of Form

?

Can you send me your disclaimer? “Certainly, here's a disclaimer you can use”:

Disclaimer:

The information presented in this article is provided for informational and entertainment purposes only and should not be construed as legal advice. The content discussed in this article is not intended to establish an attorney-client relationship, and any reliance on the information provided is done at your own risk. The article does not substitute for professional legal counsel and should not be interpreted as such.

Furthermore, the views expressed in this article are solely those of the author and do not necessarily represent the views of OpenAI or its parent company. The content in this article is not a substitute for individualized legal advice tailored to your specific situation. If you require legal assistance or advice, we recommend consulting with a qualified legal professional who can provide guidance based on your unique circumstances.