Episode 3: Managing a breach

Disputed episodes

 

Data breaches in Canada hit a record high last year with an average cost of more than $6 million per incident. Data breaches are beginning to affect every sector and industry and regulation is beginning to increase to address these breaches. The second episode in our cybersecurity series, join hosts Ailsa Bloomer and Andrew McCoomb as they dig into how best to manage a data privacy breach. What constitutes a breach? What do you actually do when a breach happens? And how do you mitigate the impact and reduce the risk of a future incident? For the discussion, we welcome back Imran Ahmad, co-head of information governance, privacy and cybersecurity and head of Norton Rose Fulbright’s technology sector. Joining Imran is Miranda Sharpe, an associate from our Calgary office and a member of Norton Rose Fulbright’s national information governance, privacy and cybersecurity team.

CPD credits: This episode qualifies for 0.5 hours of Substantive credit in Ontario and 0.5 hours of Practice Management credit in British Columbia.

For more information, check out Imran’s book, Cybersecurity in Canada: A Guide to Best Practices, Planning, and Management.

Transcript

 

Listen and subscribe to the Disputed podcast on:

• Apple Podcasts
• Spotify

 

Contact us

 

---

Transcript:

Ailsa Bloomer 00:10
Hello and welcome to Disputed, a Norton Rose Fulbright podcast that looks at the trends, issues and opportunities across Canada's legal landscape. We're your hosts, Ailsa Bloomer from Calgary and Andrew McCoomb from Toronto. And in these next few episodes, we are talking about cybersecurity. October is Cybersecurity Awareness Month, which is an international campaign to raise awareness and practice of good cyber hygiene in Canada. So we want to spend the next few episodes examining the rise of ransomware, how to manage your data breach, and the uptick in class actions and cyber litigation across Canada. For the next 30 minutes, we're going to talk about ransomware. This is where a hacker chooses a victim, they gain access to the victims data and encrypt their files so you can't use them. When the victim logs into their system, all they see is a ransom demand. You want your data, you've got to pay. The ransomware industry is booming, attacks are up by 151% this year compared to 2020. And the chaos it's causing is becoming more widespread. You'll recall the disruption in May when the US Colonial pipeline was shut down by a ransomware attack, causing a dramatic spike in fuel prices. In July, nearly 2000 organizations across the world were paralyzed by a supply chain attack on the software company Kaseya where the hackers demanded a ransom of close to $70 million to decrypt the data. But what does all this mean for Canadian businesses? How are the hackers techniques changing? Should you ever pay a ransom? And what legal issues are engaged in defending against a ransomware attack? To answer these questions we spoke with John Cassell and Imran Ahmed, who are the co-heads of Norton Rose Fulbright’s cybersecurity team in Canada. John is a partner in our Calgary office and his practice includes national and international incident response, access to information requests and proceedings before privacy commissioners. Imran, who is based in Montreal and Toronto, is the head of our technology sector. Imran helps clients develop practical strategies to mitigate cyber threats and like John, often acts as breach counsel in the event of domestic and cross-border incidents.

John, Imran, thank you very much for joining us, and welcome to the podcast.

Imran Ahmad 02:43
Thanks for having us.

John Cassell 02:45
Thank you.

Ailsa Bloomer 02:46
So let's just start off high-level, what is ransomware?

John Cassell 02:51
Thanks, Ailsa. At a really high level ransomware is a malicious computer program or malware that encrypts an organization's data, then the ransom component of it data is held or encrypted in exchange for the payment of the ransom. So an organization is requested or demanded to pay a ransom to get their data back or unencrypted at a high level or to prevent the release, public release, of that data.

Andrew McCoomb 03:22
So maybe we can dig a little bit deeper. I mean, how does it work on a technical level? How does an organization get infected with ransomware, if that's the right term.

Imran Ahmad 03:31
It's-- it's been evolving. You know, the interesting part about ransomware is over the past 18 months to 24 months, these attackers have really evolved their techniques. You know, if you go back about two years now, and John sort of alluded to this, you can see attackers sending out these-- these emails, these phishing emails that had malicious code in it, you clicked on it, and it would just encrypt either a single desktop or an entire network. What the attackers then realize was, a lot of organizations were-- were implementing good cyber hygiene, including having good backups. And so what better way to extort somebody to make a payment then to also steal their data. So in terms of the technical piece, what we've seen is, and it's not, not new stuff, but certainly newer ways of doing things with old tools, is there'll be either a phishing email, it'll be what we call an open port, like a remote desktop port that has not been secured. So basically, imagine a door to the internet that's left open for a company, or other techniques of that nature, which have existed for a long time. And what the attackers are doing is once they get access to the network, what we call a foothold, they're basically going to figure out what's going on. So that's called lateral movement. They'll do some reconnaissance or lateral movement throughout the entire environment, figure out what's out there, what's valuable, and where they can actually siphon some of the information out of the environment, to an external site that they've set up, and what their goal is here is to steal as much data as they can in the shortest window possible. And once they're ready, they're going to be able to deploy the ransomware and if the client even has good backups, they'll say, look, that's great and all you've got backups, but you better pay up because I've got all this sensitive data that you're thinking about, that's going to cause you a lot of harm, and potentially a lot of headaches. So that's where the evolution of ransomware has been interesting. But the techniques, the fundamental techniques that they use, really hasn't evolved in a meaningful way.

Andrew McCoomb 05:26
Imran, I find that really interesting. I mean, I had the impression that this was always sort of like a lightning strike, you're-- you're infected, and now you're in trouble. But it sounds like you're saying that you could have, you know, malicious actors inside your system for a period of, I don't know, is it days or weeks doing this recon, figuring out where your weak spots are, getting ready to pounce before something actually happens, before you realize you have a problem?

Imran Ahmad 05:53
Yeah, yeah, no, definitely you see a lot of this. And John's going to be able to chime in on ransomware as a service, which is sort of a newer way of delivering ransomware, if you wish, you know, forget about the image of-- of a kid sitting in a basement in a dark room with a hoodie on with multiple screens, sending out emails and hoping somebody clicks on it, that ransomware as a service has really become a much more sophisticated approach to cyberattacks. And what you have is literally a supply chain, which has been built. So you have one group that's really going to focus on entry into an environment getting credential, that initial email, that's a phishing email, for example, collecting that from an organization, they'll hand that off to another group, which will then go in and actually do that lateral movement I was mentioning earlier, and then subsequently, they'll steal the data, deploy the ransomware. And then you've got a separate group at the end of the supply chain, which is going to negotiate to get a payment made to them. And ultimately, the person or the group that's running all of this is sort of the master hacker, the person actually developed the malware in the first place, the ransomware in the first place, who is basically saying, instead of me sending out 100, you know, phishing email attacks and managing this infrastructure, let me just have the code and I'll take a small percentage for each successful attack, so that at the end day, I can multiply and leverage the-- the various groups that are out there by giving them the malware, but taking a small cut for myself, but multiplying that through volume.

Ailsa Bloomer 07:19
So it sounds like this is really organized crime. Now it sounds like it's probably incredibly lucrative. I mean, are we also seeing in the addition to these criminal gangs, governments engaging--certain governments engaging--in ransom warfare, too?

John Cassell 07:34
We are, Ailsa, to build on Imran’s points there. And he made very well-known ransomware as a service that's really resulted in the proliferation of ransomware attacks, you know, and really, the building of this as an economy of scale. We've seen the volume increase exponentially over-- over the past few years, it's incredibly lucrative. Question directly the types of threat actors that we're seeing, you know who perpetrate malware or ransomware attacks. It's not always cyber criminals, cyber criminals are obviously a very predominant group, but there is also nation state actors. Typically the motivations behind nation state actors or governments are different. Usually, the motivation behind those attacks can be geopolitical information gathering, intelligence gathering, often targeted at critical infrastructure rather than extorting a system for financial gain. There's also other less common groups sometimes that we see, you know, such as insider threats, you know, disgruntled insiders of a particular organization, helping perpetrate an attack, in addition to terrorist groups, or other groups who may be committing an attack for-- for other reasons. The predominant actors, though by far, are criminal groups.

Andrew McCoomb 09:03
John, one of the types of tactics that we learned a little bit about in our research before this episode was a thing called a double extortion attack. Can you tell us a little bit about what a double extortion attack is?

John Cassell 09:14
I mean, in a nutshell, double extortion attack is where a threat actor or a hacker both encrypts an organization's data and demands a ransom to unencrypted data, and also has stolen data and demands the payment of a ransom to prevent the public release of that data. So really, an organization is potentially making a ransom payment for those two things. It's really evolved over the past few years. Previously, you know, several years ago, predominantly, we would see single extortion attacks where only data would be encrypted and the factors whether to pay a ransom were really, whether an organization had to get their data back or they had viable backups, so they were only considering paying a ransom to unencrypt data. Now with double extortion attacks, the risk calculation has changed significantly. An organization may be able to rebuild from backups and be up back operational very quickly. But obviously, depending on the type of information that was stolen, and the business that your organization is in, the public release, for instance of customer data, trade secrets, confidential information can be extremely damaging. So it's a different risk calculus now with double extortion attacks.

Ailsa Bloomer 10:43
I've also heard reference to triple extortion attacks too, can you just briefly explain what those are.

Imran Ahmad 10:48
When we talk about triple extortion, it's essentially what the attacker is doing is instead of going directly to a company's IT environment and compromising it, they're going to their service providers. So they're going down to supply chain in a certain extent, and going to what we call, typically, you know, Managed Service Providers or MSPs. And what they'll do is once they're in the MSPs environment, they're going to encrypt the data held by that MSP, which also typically host the data of their clients, or will be a point of entry into the clients environment in whatever shape, way or form. So what ends up happening, and this is where it gets really complicated, is a client who has been relying on a third party, basically can't access any other data, that MSP may have multiple clients and now the attacker is demanding a very large ransom, for example, to get the data back or to have it deleted. From a-- from a legal perspective, the challenges are multifaceted. I mean, at that point, you don't have control over the investigation per se, you don't know the exact scope of what the breach may have looked like. You don't know what terms the MSP is negotiating with the attacker. And in some cases, you don't actually know if the MSP has the wherewithal to pay the ransom, if the ransom has to be paid. So it becomes really tricky managing those. So it's, it's one level removed, but it just highlights the supply chain risk that exists within sort of the IT environment for clients. And again, I just want to reiterate, this is not a hypothetical. Over the past 12 months, there have been several well documented cases that have occurred that literally took advantage of the MSP vulnerability to get to a client and extort them subsequently.

Andrew McCoomb 12:28
Guys, I'm glad this episode is dropping in October because it's shaping up to be by far our scariest. But let's-- let's turn from talking about threats themselves and start talking about the solution. So let's-- let's take a scenario right in organizations hit with a ransomware attack, or they believe they may be subject to one, say your in-house counsel or you're working with compliance or the risk team. Take us through your tips for what they need to do to manage that risk, to be prepared for the consequences of you know, what's going to happen next. And what are the questions that management of that company are going to be asking you in particular.

John Cassell 13:09
There's a number of steps that an organization should take if they're hit by a ransomware incident. If an organization believes they've been hit by a ransomware attack and needs to move very quickly, as a first reminder, they'll be considering whether to pull up and rely on their Incident Response Plan, if they have one. They will be assembling their Incident Response Team. Typically, that's where external legal counsel or your breach counselor involved, where we will be called to assist to quarterback really the investigation into the breach, and to ensure that the investigation is privileged and all the steps that are taken to investigate the incident remains subject to legal privilege. Typically, after that we’ll assist in retaining an incident response and forensic firm to assist in investigating the incident. And at this point, potentially, they've found a ransom note on their systems to, with the ransom demands. And really, at this stage, the investigation can take parallel tracks in that organization; I'll be conducting a forensic investigation into the root cause of the attack, how it happened.

Ailsa Bloomer 14:30
So triggering your Incident Response Team, engaging breach council, conducting these investigations. I mean, this all sounds costly and time consuming. And for a lot of businesses, they might not be in a position where this is really feasible because at the same time they have to keep operating. So for companies in that situation, will a lot of companies simply prefer to just pay the ransom and what are the issues and certain factors to weigh in whether you should or should not pay the ransom.

Imran Ahmad 15:00
Right. So some of the questions we get are, if I had to make a top three list of questions clients ask about ransom payments in particular is, number one, is it legal, two, will insurance cover it? And three, do I need to tell law enforcement about any of this, or is it going to be a problem. And-- and what we tell our clients is look at the end of the day, it is ultimately your decision, whether you want to make a payment or not, but there are certain guardrails you should be mindful of. Number one, clients should not negotiate with the attackers themselves. This is typically done through a third party. There are techniques and tactics that these attackers are going to use to bully, intimidate and challenge a client who is inexperienced in dealing with these kind of threat actors. So better to get somebody who has experience and the know-how and there are various vendors in the marketplace that do that work specifically. So that's number one. Number two, in terms of making a payment, just recently, the Office of Foreign Asset Control in the US came out with a subsequent guidance documents on how ransom payments should be made. By and large, although it's a US-based organization, globally, they're viewed as being leaders and you want to make sure you're onside of that. So there's some guidelines and things that need to be verified and checked. So for example, need to get a certificate around a sanction check before a payment is made. If a sanction check, which typically goes through databases of sanctioned entities, could be OFAC, could be DFAIT here in Canada, could be FINTRAC, could be Interpol, there are a variety of them that are out there. But it’s that third party vendor that's negotiating the job to do the sanction check. If it comes back clear, there's the possibility of making a payment. If it does not come back clear, you're in a different place, because you won't be able to make the payment without being offside unless you get some kind of an exemption. And that exemption is not a speedy process, especially when you're losing money as an organization in real time, you want to you want to keep that that option available, but be in mind that an exemption may not be a feasible option. So to John's point earlier about the incident response part, usually when we get engaged as breach counsel, we open up immediately two swim lanes. One is going to be, do we have backups, and can we restore, and then swim lane number two, if you wish, let's open up negotiations or at least communication with a threat actor to see what the demand is, get what we call proof of life, which is basically a validation that they actually have your data or have a decryptor to decrypt your data and then see where that goes to get more intelligence about how they operate and what kind of reliance we can have on the word they give. But when-- when organizations are looking at this, you're absolutely correct, it's a cost benefit analysis in most cases, and you know, is the time that they're going to be down and the time to rebuild and restore? How much is that going to cost versus if the demand is X dollars in Bitcoin is that a better option, recognizing that even when a decryptor is obtained, it's not an instantaneous you’re up and running the next day, it does take some time so there's necessarily going to be some downtime that has to be factored into that process.

Andrew McCoomb 18:11
So Imran, let me just pick up on the point that you just raised and talking about negotiations, and some of the entities you were describing earlier that are taking part in these practices on the ransomware side. How realistic is it to think you can negotiate with someone who's attacked your system with ransomware? Or that at the end of the day, when you make a payment, you're really going to get back what they say you're going to get back? How-- how realistic is it to think that these guys are going to honour their end of that deal?

Imran Ahmad 18:43
So one of the interesting parts of cyber, generally speaking, is the very quick evolution in the landscape. If you had asked me that exact same question six months ago, I would have been very comfortable to say you can rely on their word and yes, you can negotiate it down. What we're seeing now more and more and I know John and I, for example, recently worked on a case where-- where the threat actor, the-- the hacker was able to get a copy of the insurance policy and the insurance policy had X dollars in terms of limit. And they basically barely budged from that position saying you know what, we know you have the ability to do it, go talk to your insurance company and get us paid. But I'd say generally speaking, there is some kind of a quote unquote discount, meaning if you go back and forth with the attacker to get a discount on the demand versus what's actually paid, there are factors to keep in mind in terms of delay, how long you can actually drag out negotiations, versus how desperately you need to get the decryptor right away. Also depends if company is a regulated entity. Healthcare, financial services, energy, transportation are typically heavily regulated, so there may be less leeway in that are more issues that come across in terms of negotiations and how many people may be in the know for that piece, as well as public listed companies versus private companies that have different requirements in terms of disclosures, one of the questions we often get in, I know John, and I talk about this on a regular basis is, you know, post incident, typically the auditors are going to come in and also look at, you know, we noticed there's X dollars that have exited, which are a material number, how do you explain that? So all of that goes into that analysis about whether to pay or not to pay. But to come back to your question, can you negotiate with them, certainly, in terms of them keeping their side of the bargain, we're seeing some deviation to that where the norm used to be, they'll keep their word, there's honour amongst thieves, we're now seeing more and more cases where there's some kind of a breakout, one group in that supply chain for the ransomware as a service piece that I talked about earlier, will basically go off script and still demand more, or a portion of the data pops up on the net, still a minority, not the majority of the cases. But where we did not see that before, we're now starting to see it.

Ailsa Bloomer 20:58
That’s so interesting, that point you mentioned about seeing the insurance policy and stuff because presumably they've hacked into your systems, they can see your assets, they might be able to see your financial position, as you said, any policy insurance policies that you have in place. So when you're negotiating, you almost don't have any leverage because they have absolute transparency over what you can ultimately pay. Should we move on to talking a bit about law, the role of law enforcement. So then there's a changing nature and the role that law enforcement might be playing in ransomware incidents. We see how the FBI was involved in the US Colonial Pipeline attack. Can you talk a bit about how that is changing? And whether a company should inform law enforcement?

John Cassell 21:40
Sure, Ailsa, yeah, I think that's a really good question. And historically, in previous years, law enforcement, maybe not, maybe didn't play as large a role as they do now. Whereas now we recommend clients when they're subject to a ransomware attack to-- to keep law enforcement involved and notify them quite early in the process. There's a few reasons for that. One of the reasons is that in order in many insurance policies in order to make a claim under a policy of cyber insurance, that'll be a prerequisite under the policy that it's reported to law enforcement, because it is a crime. So that's usually a prerequisite. Two, and Imran mentioned the new updated guidance from OFAC in the US and whether a ransom payment can be made and whether it's legal, law enforcement's taking a much greater role in this assessment and scrutinizing it and including working, you know, so making a ransom payment in Canada, for instance, Canadian law enforcement will collaborate with the FBI in the in the United States, if there's a nexus to the United States, certainly will be involving the FBI early, typically informing them before the ransom payment is made and after the ransom payment is made, if one is one is made, and the reason for that is, the FBI has had some recent success, in particular, in tracking the Bitcoin wallets used to facilitate some of these ransom payments. And there has been some limited success in actually tracking some of these threat actors. So overall, we would say the role of law enforcement of these incidents is increasing and we're involving them earlier and in a more robust way.

Andrew McCoomb 23:38
You guys have already touched on this a little bit, but what about reporting obligations to regulators?

Imran Ahmad 23:44
Certainly there's-- there's requirements that are in Canada, federally and provincially, and sectorally. If it's health-related, for example, there are certain requirements in terms of risk of harm analysis, which may vary somewhat from one jurisdiction in Canada to another. But the bigger piece that John and I and our team looks at almost on a daily basis is the cross-border piece, where you know, you're a Canadian business or a business with operations in Canada but the breach occurs and impacts folks in the United States and EMEA, or other parts of the world and then coordinating those notifications. So the regulatory piece can become very complicated, very quickly. Who do you notify first? You know, in Canada, the requirement is as soon as practically possible. But in other jurisdictions, it could be as soon as 72 hours after you discover an incident. How do you reconcile those two? Do you share more with one regulator versus another? Do you report an incident even though you think it's a security issue going on, but having confirmed a privacy breach has occurred, maybe as a courtesy heads up, but then you're opening up a line of communication with a regulator who will necessarily want to know more. So those are some of the issues and challenges that clients face depending on how they operate and where they operate. The other piece we have seen over the past few years has been an increase in just general regulatory requirements report incidents. Just to give you an example, financial institutions, which are typically regulated by OSFI, for example. OSFI, or Office of Superintendent Financial Institutions, has updated their two guidance documents, one in the area of self-assessment from a cybersecurity posture perspective so preparation standpoint. But also when an incident does occur, there's a standard form and a requirement to report the incident to the TRD, or the Technology Risk Division at OSFI. And that is not a one-off, it is an ongoing discussion with OSFI throughout the incident, and then afterwards, in terms of what we call the path to green, or to be safe and secure. So just to give you a sense, you can have an incident, if you're an FI, for example, dealing with OSFI, dealing with multiple privacy regulators, as well as others, such as IIROC and others. So complicated regime, getting more and more complicated, because a lot of the regulators are putting out guidance documents, may or may not be binding, but certainly a lot more complexity to it than in the past.

Andrew McCoomb 26:07
What about the people whose information may be affected by a breach, like customers, what's the reporting obligation to them, how much contact you're going to have with them?

John Cassell 26:16
So with customers or other individuals whose personal information may be impacted in the incident, like regulatory reporting requirements, there may be a report notification requirement under privacy laws in Canada or international privacy and data protection laws so we're constantly assessing whether to notify those individuals, along with reporting to the regulators. And to be honest, it's a-- it's a sliding scale of assessing the risk to those individuals. The number one reason we notify individuals is to allow them to take steps to protect themselves, and self-mitigate against any damages. So we're constantly assessing, separate from regulatory obligations, should notifications be sent to individuals to advise them of the breach and-- and various steps that they can take to protect themselves and their personal information. So often, we recommend or if the circumstances warrant notifying individuals before reporting to regulators for that very reason so individuals can-- can take steps, you know, to protect themselves. One other point that we're seeing in ransomware is contractual customer notification requirements. So often, if an organization is hit with ransomware, and their systems are encrypted, and they may have a large number of corporate customers, they will not have access to the contracts, their various customer contracts that set out those notification requirements so it can be actually quite tricky to deal with, they don't know whether they have a contractual notification requirement. All their contracts are encrypted. So often, we're working with customers or, not customers, we're working with clients to help them assess whether they have any contractual notification requirements. And to build on Imran’s point about very tight regulatory reporting obligations, contractual notification requirements can often be very tight too, as soon as 24 hours and often, the threshold can be much lower than regulatory reporting requirements, even if it's there's a suspected breach, there's a potential for contractual notification requirements. So that's often I don't want to call it a forgotten piece. But it's a very important piece that we often help clients with

Ailsa Bloomer 28:52
Working in the trenches in all of this, do you get to notice some patterns in certain ransomware gangs’ behaviors? For example, are there certain groups that more often than others, tend to bluff about their position or if you're attacked by the ransomware gang Darkside, let's say, for example, you know that they probably have stolen your data, like, are there some common patterns to certain gangs or is it always completely random?

Imran Ahmad 29:22
Well, it depends a little bit in terms of each gang, but they certainly have their own characteristics. And I'll share two or three that are, they're the ones that we see the most commonly in our cases. So there's one gang in particular, for example, that will not just steal the data, but will host it in the Cloud. And what they do is once you get a payment from them, or you get they get a payment from the victim organization, they will give that victim organization the username and password to go and pull the data from the Cloud. That's an interesting tactic that they're actually hosting it in the Cloud on a legitimate platform. There's pieces to that, that relate to law enforcement, we can talk about separately if you like, but the key element here is the client gets good visibility in terms of the exact data that was taken, those are probably the easier cases, quote-unquote, to manage in terms of notifications and what have you. There are other groups that don't do that. They'll simply say, yeah, we have your data, here's a couple of sample files, once they get the payment, they will give a ransom file tree, for example, indicating the folders that may have been accessed and the subsequent files that were filed in each one of those folders, which then leads to a very extensive exercise by the client to do data mining or e-discovery on those folders, and then make some assumptions that, you know, the screenshot that they got with the file tree must have been accessed. And not only accessed, but probably the data was taken out of their environment, which may lead to over notification in some cases, because we just don't know what the attacker would have taken at the most granular level so I think we see a lot of those tactics. The more recent one, which actually sort of struck me recently when I was reading this in the media, but also on some of the cases I'm hearing about now, of some of the forensic firms have told us that, you know, we talked about this ransomware as a service with the master hackers sitting on top, these gangs are controlled centrally at some level. And what we're seeing is, where historically, an attacker wants to make some cents on the dollar. So their demand is a million dollars, they’d rather take 100,000, then not get anything at all. What we're now seeing is where-- where we could negotiate lower numbers, you have more-- more of these master hackers stepping in in the middle of negotiating, saying no, 100,000 is a no go, it's 500,000 or more whatever the number may be. So you're seeing a lot of intervention that's popping up, at least it has been reported in the media. I suspect that may be problematic when it comes to negotiation because you won't have the same level of certainty about striking a deal and on the other side honouring it.

Andrew McCoomb 31:51
And it sounds like there's-- there's pushback in that the hackers don't want their own threat diluted by you know, making an easy buck, they want to make sure that the threat’s still valuable in terms of keeping people honest, keeping people scared of what it is that they can do with their data.

Imran Ahmad 32:09
Yeah, that's exactly right, I mean, if you look at the evolution of ransomware, where historically they would be spraying folks with spam email and hoping 20, 30, 40, 50 of them click on it, and the amounts would be small. So it was a volume game. We're now seeing these ransomware attacks where a lot of effort is being deployed again, back to that supply chain of ransomware as a service, they they're going quote-unquote, towards quality payment, they're looking for the big payout, they're actually willing to spend some time and effort and negotiate and put the pressure on the client, as opposed to saying, well, this person didn't click on it, therefore we'll move on to the next victim.

Andrew McCoomb 32:43
Premium ransomware, what an idea, what a-- what a time to be alive. Look, guys, this has been an extremely enlightening discussion. I'm sure we'll have more to talk to you about on the topic and related topics in the future. And so if you'll oblige us, we'll gladly have you back. But for now, I'll just say thanks very much for your time and for joining us on the podcast.

Imran Ahmad 33:07
Yeah, thanks for having us, great conversation.

John Cassell 33:09
Yeah, thank you very much for having us. Appreciate it.

Ailsa Bloomer 33:14
We hope you enjoyed this episode of Disputed. If you'd like to find out more about this topic, or how to contact our guests, please visit nortonrosefulbright.com/disputed . Also, if you have any questions, or feedback, or topics that you'd like us to cover in a future episode, please do email us at disputed@nortonrosefulbright.com. And if you would like to hear more, please subscribe to Disputed on Apple Podcasts, Spotify or wherever you get your podcasts.

---

Norton Rose Fulbright Canada LLP is providing this podcast as a purely educational service. While it may contain legal information, it should not be construed as legal advice, a legal opinion or recommendation, or a statement of process or policy of Norton Rose Fulbright Canada LLP. The information, views and opinions expressed by guest speakers are entirely their own and their appearance on the podcast does not express or imply an endorsement by Norton Rose Fulbright Canada LLP of the information, views or opinions expressed by any guests, or of any entities they represent. Norton Rose Fulbright Canada LLP expressly disclaims any and all liability or responsibility for any direct, indirect, incidental or any other form of damages arising out of any individual’s or organization’s use of, reference to, reliance on, or inability to use this podcast or the information presented in this podcast.