A spate of recent ransomware attacks illustrates the increasingly difficult calculations that businesses face following the theft or encryption of their data.

In February and March, the IT company Change Healthcare made headlines when it took its systems offline in response to an attack by the cybercriminal group, BlackCat. Change Healthcare provides important backend support for healthcare claims processing: according to the American Health Association, the business touches one in three patient records across the United States and processes 15 billion health transactions annually. The effects of the shutdown were devastating—healthcare systems, including small hospitals, could not collect billions of dollars in payments, patients did not receive their medications, and some providers could not see new patients.

Change Healthcare reportedly paid $22 million to BlackCat in return for a decryption key and the destruction of exfiltrated data. But a dispute between BlackCat and one of its criminal affiliates over how to split the ransom has thwarted the likelihood of a quick resolution. That affiliate may have retained the IT company’s data and arranged for a separate ransomware group to leak it while demanding a second ransom payment. As of this posting, those leaks are ongoing.

Although Change Healthcare’s woes illustrate the potential challenges arising from paying a ransom, cybercriminal groups have also experimented with making a refusal to pay even more painful for victim businesses. In November 2023, BlackCat took the unusual step of reaching out to a regulator as a means of exerting additional pressure on its victim. Specifically, BlackCat tried to file with the Securities and Exchange Commission a Section 8-K disclosure purportedly on behalf of the software company it had hacked. In December, another ransomware group spammed patients of the Fred Hutchinson Cancer Center in Seattle, asking for payments of $50 each to prevent the leaking of their data to the dark web. Harassment of individuals is a known technique for pressuring the institution that held those individuals’ data. But what came next was new: threats in January 2024 to “swat” the hospital’s patients—that is, make fake bomb or hostage reports to law enforcement in the hopes that police will storm the patients’ homes.

These shifting tactics reflect the continually evolving dynamics of the ransomware landscape. Businesses have invested more in cybersecurity and are paying fewer ransoms. Law enforcement agencies also succeeded in 2023 in disrupting operations of not only BlackCat, but another notorious group, Hive—although newer groups have quickly filled the void. These cybercriminals have adapted by pursuing larger enterprises, deploying resources to encrypt rather than simply steal data, and demanding even greater ransoms.

Such dynamics complicate the already difficult decision of whether to pay a ransom—a decision accompanied by a thicket of thorny legal questions. Those questions include how to comply with new SEC regulations requiring disclosure of material cybersecurity incidents. Further, under recently amended rules from the New York State Department of Financial Services, certain entities must explain to the Department the “reasons payment was necessary” and what alternatives were considered. All the while, organizations need to navigate their disclosure obligations and investigation of underlying events while considering how to maintain attorney-client privilege.

We will continue to report on ransomware developments as they unfold.