When the defendant of a lawsuit is identifiable as "John Doe," some restrictions apply.
Such is the case of Southwire, a cable manufacturer based in Georgia, suing the operators behind a Maze ransomware attack. Because Southwire refused to pay the ransom, the operators posted a portion of the encrypted and stolen data on a public website.
The ransomware-turned-data-breach prompted Southwire to take legal action against the hackers and third parties unknowingly involved.
Southwire is seeking injunctive relief from the hackers after they "wrongfully accessed" the company's computer systems, according to the civil action (read the full filing below), filed on Dec. 31, 2019. The dates of the cyberattack were redacted from the filing.
"Southwire's decision to take legal action against the Maze Group is an unusual move," Brett Callow, threat analyst at Emsisoft, told CIO Dive in an email. "I can't think of another case in which a company has sued a ransomware group."
Robert Shimberg, shareholder of law firm Hill Ward Henderson, echoed Callow's sentiments. "I have not seen one exactly like this before now," he told CIO Dive.
But while Southwire, at this time, can only identify its hackers as John Doe, the company's investigations led it to another civil action in Ireland.
Ireland-based publication The Journal.ie reports Southwire is also pursuing injunctive relief from an Irish company responsible for hosting the hackers' website. Southwire reportedly asked the web hosting company to remove the published stolen data but the company was unresponsive at the time.
Maze has influenced other ransomware's modus operandi in terms of publicly disclosing encrypted data. REvil, the successor of GandCrab, is also threatening to publish stolen data or sell it to a victim's competitors if a ransom is refused.
The ransomware strain requires victims to communicate with its operators for decryption. Southwire outlined dates, though redacted from the filing, of the communication between the company and the defendant.
"During this time, Defendant threatened to release this information and pointed to its release of other companies' data as an indicator that it would follow through on its threats," according to the filing.
The malicious operators posted a portion of Southwire's data on the public-facing website. In the time since the posting, the hackers have allegedly told Southwire to brace for more data exposure.
Southwire's lawsuit against its hackers is a "somewhat risky move in that it could potentially prompt Maze into publishing all the exfiltrated data," said Callow.
But the proceedings helped the company bring down the websites showcasing the stolen data. The Irish third-party web hosting company has since removed the websites.
However, "it would be trivially easy for the group to release the data in other ways, either on the clear web or the dark web," said Callow.
A matter of identity
Though Southwire's ransomware lawsuit is unusual, John Doe cases are fairly common.
"It happens a lot like in copyright infringement cases and trademark infringement," said Shimberg.
"It's not unheard of for there to be lawsuits against John Doe. You're doing it with the idea that you don't know the identity of the person at this time, but you're still gathering information," he said.
With a John Doe defendant, Southwire's lawsuit is less likely to stall as a civil case, as it might in a criminal one. A criminal case is more likely than a civil one to stall when the operators' identity is unknown.
"I believe they are bringing the civil case, as a way for them to have the ability to pursue it on their timeframe and the way they want to pursue it," said Shimberg. A simultaneous criminal prosecution is possible if they can convince criminal authorities.
Having a John Doe defendant still "allows the injured aggrieved party [Southwire] to initiate and get something started," he said.
Southwire so far was able to trace the domain the defendant, or John Doe, is using "to cause harm" to the company. The cable manufacturer provided a (now redacted) web portal contact point in the civil suit.
Following similar logic, Southwire found the alleged Ireland-based third-party web hosting company through an administered IP address "connected to domain [redacted] — used by Defendant in this action."
"With regard to the web hosting entity, that could become a trend, because you can certainly try to get some action taken," like the website shut down as quickly as possible, said Shimberg.
But legally pursuing a John Doe hacker is a trend yet to be seen.
"There's certainly some very good reasons for doing what they're doing strategically. And under appropriate circumstances, absolutely. I could see it happening more frequently," he said.