Skip to main content
close search
site logo

A company is suing its hackers — it doesn't know who they are

In a search for redress, cable manufacturer Southwire filed a civil suit against "John Doe," the yet-to-be identified operators behind a ransomware attack.

Published Jan. 7, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Jp Valery for Unsplash

When the defendant of a lawsuit is identifiable as "John Doe," some restrictions apply. 

Such is the case of Southwire, a cable manufacturer based in Georgia, suing the operators behind a Maze ransomware attack. Because Southwire refused to pay the ransom, the operators posted a portion of the encrypted and stolen data on a public website.

The ransomware-turned-data-breach prompted Southwire to take legal action against the hackers and third parties unknowingly involved.  

Southwire is seeking injunctive relief from the hackers after they "wrongfully accessed" the company's computer systems, according to the civil action (read the full filing below), filed on Dec. 31, 2019. The dates of the cyberattack were redacted from the filing. 

"Southwire's decision to take legal action against the Maze Group is an unusual move," Brett Callow, threat analyst at Emsisoft, told CIO Dive in an email. "I can't think of another case in which a company has sued a ransomware group." 

Robert Shimberg, shareholder of law firm Hill Ward Henderson, echoed Callow's sentiments. "I have not seen one exactly like this before now," he told CIO Dive.

But while Southwire, at this time, can only identify its hackers as John Doe, the company's investigations led it to another civil action in Ireland. 

Ireland-based publication The Journal.ie reports Southwire is also pursuing injunctive relief from an Irish company responsible for hosting the hackers' website. Southwire reportedly asked the web hosting company to remove the published stolen data but the company was unresponsive at the time. 

Ransomware-turned-data-breach

Maze has influenced other ransomware's modus operandi in terms of publicly disclosing encrypted data. REvil, the successor of GandCrab, is also threatening to publish stolen data or sell it to a victim's competitors if a ransom is refused.

The ransomware strain requires victims to communicate with its operators for decryption. Southwire outlined dates, though redacted from the filing, of the communication between the company and the defendant. 

"During this time, Defendant threatened to release this information and pointed to its release of other companies' data as an indicator that it would follow through on its threats," according to the filing. 

The malicious operators posted a portion of Southwire's data on the public-facing website. In the time since the posting, the hackers have allegedly told Southwire to brace for more data exposure. 

Southwire's lawsuit against its hackers is a "somewhat risky move in that it could potentially prompt Maze into publishing all the exfiltrated data," said Callow. 

But the proceedings helped the company bring down the websites showcasing the stolen data. The Irish third-party web hosting company has since removed the websites. 

However, "it would be trivially easy for the group to release the data in other ways, either on the clear web or the dark web," said Callow. 

A matter of identity

Though Southwire's ransomware lawsuit is unusual, John Doe cases are fairly common. 

"It happens a lot like in copyright infringement cases and trademark infringement," said Shimberg. 

"It's not unheard of for there to be lawsuits against John Doe. You're doing it with the idea that you don't know the identity of the person at this time, but you're still gathering information," he said. 

With a John Doe defendant, Southwire's lawsuit is less likely to stall as a civil case, as it might in a criminal one. A criminal case is more likely than a civil one to stall when the operators' identity is unknown.

"I believe they are bringing the civil case, as a way for them to have the ability to pursue it on their timeframe and the way they want to pursue it," said Shimberg. A simultaneous criminal prosecution is possible if they can convince criminal authorities. 

Having a John Doe defendant still "allows the injured aggrieved party [Southwire] to initiate and get something started," he said. 

Southwire so far was able to trace the domain the defendant, or John Doe, is using "to cause harm" to the company. The cable manufacturer provided a (now redacted) web portal contact point in the civil suit. 

Following similar logic, Southwire found the alleged Ireland-based third-party web hosting company through an administered IP address "connected to domain [redacted] — used by Defendant in this action." 

"With regard to the web hosting entity, that could become a trend, because you can certainly try to get some action taken," like the website shut down as quickly as possible, said Shimberg. 

But legally pursuing a John Doe hacker is a trend yet to be seen. 

"There's certainly some very good reasons for doing what they're doing strategically. And under appropriate circumstances, absolutely. I could see it happening more frequently," he said.

 

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
New Research Reveals AI's Impact on Power, Status, and Pay
From 1E
November 21, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell