SamSam and the Silent Battle of Atlanta

Abstract

The SamSam ransomware attack on Atlanta in early 2018 crippled municipal services in a major American city without the firing of a single shot, epitomizing the notion of a “Silent Battle”. Atlanta was not the only battlefield. Municipal governments in Colorado and New Mexico, as well as medical associations in Indiana, Virginia, New York and Buffalo, were all targets. While other ransomware or ransomware-like attacks have been larger-scale events, the SamSam ransomware attacks deserve an international law analysis. This article examines the SamSam attacks on health care providers and municipal government through the lens of the second Tallinn Manual. First, it explains the SamSam ransomware itself and Gold Lowell, the group presumed to be behind it. Second, this article explores how the SamSam incidents might be classified under international law. This article asks whether ransomware attacks are internationally wrongful acts - breaches of international obligations attributable to a State. This entails considering whether a ransomware attack may be legally classified as a use of force, an intervention, a violation of sovereignty, or a breach of an international law obligation. Finally, this article discusses the possible legal responses to the SamSam ransomware attacks available to the United States: countermeasures, the plea of necessity, acts of self-defense under Article 51 of the U.N. Charter, and acts of retorsion.