Insight

An Allied Front Against Ransomware

With the world ever more digitally entwined—particularly as the pandemic has increasingly driven commerce and ordinary business activity more fully online—the threat of ransomware is here to stay. Here’s a primer on the federal government’s response and how the private sector can help.

Federal Government’s Response to Ransomware
Patricia Brown Holmes

Patricia Brown Holmes, Abigail L. Peluso, Georgia N. Alexakis, and John K. Theis

November 4, 2021 06:40 AM

Ransomware attacks have been a mainstay of the 2021 news cycle. As the federal government’s recent actions reflect, there is no sign that these cyberattacks—in which hackers infiltrate an organization’s systems, lock victims out and demand millions of dollars to let them back in—will disappear anytime soon.

In just the past year, ransomware attacks shut down the Colonial Pipeline, shuttered meat processing plants, forced a Swedish grocery chain to close 800 stores for a day, caused Howard University to suspend classes for two days and exposed a Florida town to potentially poisonous drinking water.

According to Cybersecurity Ventures, a research firm, global ransomware damages will amount to more than $20 billion in 2021, up from just $5 billion in 2017. The federal government estimates that “roughly $350 million in ransom was paid to malicious cyber actors in 2020, a more than 300 percent increase from the previous year.” The Treasury Department recently noted that in the first six months of 2021, approximately $600 million in reported transactions were linked to possible ransomware payments.

Other ransomware attacks cause incalculable losses. In a recent Alabama lawsuit, a mother alleges that as a direct result of a ransomware attack on the hospital in which she gave birth, her daughter was born with severe brain damage and died just nine months later. According to the complaint, the attack hampered nurses’ ability to monitor fetal heartbeats, leading the delivery team to miss warning signs that the child, born with the umbilical cord wrapped around her neck, was in serious distress.

Business leaders cannot delegate full management of cyber risk to technical professionals. Cybersecurity is a board-level responsibility, and executives must pay particular attention to the unique risk ransomware entails. To protect consumers, ensure operational continuity and avoid reputational damage, organizations must appreciate mounting regulatory expectations and take steps to bolster the technical safeguards that protect their systems.

The Federal Response

In 2021, the U.S. government increased its efforts to combat ransomware attacks. Each tactic makes clear that the government will do all it can to stem such attacks, but it necessarily relies on the private sector to help.

New initiatives emphasize “shared responsibility”: This past June 2, the White House issued an open letter to private-sector executives stressing the seriousness of the ransomware threat, urging companies to do their part to mitigate the danger and providing a list of best practices to protect data and ensure an effective incident-response plan.

The next day, the Department of Justice announced the centralization of its internal tracking of all ransomware cases, building on its earlier launch of a Ransomware and Digital Extortion Task Force—which elevated ransomware investigations to the same priority level as those regarding terrorism. Speaking to the Wall Street Journal, FBI director Christopher A. Wray noted that “[t]here’s a shared responsibility, not just across government agencies but across the private sector and even the average American.”

Six weeks later, on July 15, the federal government launched stopransomware.gov, a consolidated online resource. Attorney General Merrick B. Garland emphasized that it “is critical for business leaders across industries to recognize the threat, prioritize efforts to harden their systems and work with law enforcement by reporting these attacks promptly.”

In early October, to continue to pressure compliance with cybersecurity protocols, the DOJ announced a new Civil Cyber-Fraud Initiative and a National Cryptocurrency Enforcement Team. The former will use the False Claims Act to pursue cybersecurity-related fraud, including failure to follow required cybersecurity standards, by government contractors and grant recipients. The latter will work to recover lost assets, including cryptocurrency payments made to ransomware groups.

In mid-October, OFAC provided updated guidance on compliance best practices for private companies that may have exposure to virtual currencies or their service providers, aimed at promoting “compliance with sanctions requirements.”

Successful prosecutions following a private-sector security breach: In consultation with outside counsel, companies should consider a referral to laws enforcement when faced with a cyberattack. Successful ransomware-related prosecutions can be difficult; perpetrators often reside outside the bounds of U.S. jurisdiction and extradition ability. Nonetheless, the government recently filed charges or seized assets related to ransomware attacks:

  • On June 4, a Latvian national was arraigned in federal court in Ohio on charges stemming from her alleged role in a transnational cybercrime organization responsible for creating and deploying a computer-banking Trojan and ransomware suite for malware.
  • On June 7, the DOJ announced the seizure of 63.7 bitcoins, then valued at approximately $2.3 million, representing proceeds from the ransom payment associated with the Colonial Pipeline attack.
  • On June 16, a Russian national was convicted after a trial in federal court in Connecticut for helping operate a “crypting” service used to conceal malware from antivirus software, thereby “enabling hackers to systemically infect victim computers around the world with . . . ransomware,” according to the U.S. Attorney’s office in the Connecticut district. The same day, an Estonian national pleaded guilty to a federal charge related to his role in operating the same service

OFAC advisory to private companies: Finally, on September 21, the Office of Foreign Assets Control (OFAC) issued an advisory highlighting the risk entities face when making ransomware payments to cyber actors included on OFAC’s list of Specially Designated Nationals (SDNs) and Blocked Persons.

Americans are generally prohibited from entering into transactions with SDNs. Also in September, OFAC designated the virtual currency exchange SUEX as an SDN—the first such exchange to earn this dubious honor. According to OFAC, SUEX facilitated financial transactions for ransomware actors. American companies are now prohibited from engaging in “transactions, directly or indirectly” with SUEX, and OFAC may impose civil penalties based on strict liability alone. There is no “ransomware exception” to this prohibition.

Payments to ransomware attackers carry a host of other risks, including potential liability under the Foreign Corrupt Practices Act, the International Emergency Economic Powers Act and the Trading with the Enemy Act. Companies must carefully consider the consequences of any payments they might be tempted to make.

What the Private Sector Can Do

There are several concrete things businesses can do to comply with regulatory expectations and mitigate the risk of a ransomware attack.

Enhance cyber defenses: The White House’s open letter urged companies to take a number of steps to combat the threat, and rightly so. The Colonial Pipeline attack exposed weaknesses in the company’s security protocols, disrupting gasoline delivery across a large swath of the eastern U.S. Some reports indicated that the attack was the result of a single compromised password. To avoid becoming the next ransomware headline, companies should continually consult with third-party experts to assess and test their defenses.

Incorporate ransomware risk into compliance programs: Every well-designed compliance program requires a thorough analysis of the risks a company faces—and ransomware should be front and center. In addition to information security being a component of periodic compliance assessments generally, organizations should consider retaining independent technical assistance to enhance and test it.

Closely monitor future federal action: If the past six months are any indication, the U.S. government will continue to bolster its efforts against ransomware attacks. Companies and other organizations should monitor federal guidance and regulatory activity to ensure they’re meeting government expectations and are prepared for future attacks.

In short, the government and private sector can—and should—be allies in the fight against rising ransomware. A coordinated approach will boost cyber-defenses and deter a common enemy.

Abigail L. Peluso is a partner at Riley Safer Holmes & Cancila LLP and previously served as Assistant United States Attorney in the U.S. Attorney’s Office for the Northern District of Illinois, where she prosecuted transnational actors.

Georgia N. Alexakis is a partner at Riley Safer Holmes & Cancila LLP and previously served as Assistant United States Attorney in the U.S. Attorney’s Office for the Northern District of Illinois, where she investigated and prosecuted cybercrimes and helped secure the convictions of individuals who violated laws and regulations prohibiting economic transactions with SDNs.

John K. Theis is a partner at Riley Safer Holmes & Cancila LLP and previously served as Associate White House Counsel and a Department of Justice trial lawyer.

Patricia Brown Holmes is the managing partner of Riley Safer Holmes & Cancila and focuses her practice on high-stakes commercial litigation, crisis management, white collar crime, and legal counseling. Patricia is the first African-American woman to lead and have her name on the door of a major law firm that is not women- or minority-owned.

Related Articles

Hybrid Work - A Path for Female Lawyers


by Roberta Liebenberg

Remote work, flex time, some combination of both, all the rest of the pandemic’s new office normal: mere hype, or finally a meaningful option for female lawyers?

Remote Work Becoming Vital for Female Lawyers

Navigating the New Normal


by Jody E. Briandi

The pandemic has upended many law firms’ internal culture and their lawyers’ work habits, in many ways for the better. As we approach 2022, how can we consolidate those positive effects to transform the practice of law (and our personal lives) for the better?

Work Habits Affected by the Pandemic

And Justice for All


by Harry M. Reasoner

Equal opportunity for justice before impartial law is a supposed bedrock of American citizenship. All too often, though, that noble ideal is honored more in the breach than the observance. The legal profession, and the country, must simply do better.

Legal Justice for All Americans is Lacking

Bidding Wars: Understanding Federal Bid Protests


by Lori Ann Lange

Federal government contracting can be convoluted. Here’s a primer on filing a bid protest for parties who think they’ve been wronged.

Filing Big Protest with Federal Government

Targeted Cyber Attacks Are Rapidly Increasing in 2019


by James L. Pray

Targeted cyber attacks, spear-phishing attacks, and ransomware attacks are increasing and could put your business's security on the line.

Cyber Attacks Are Increasing

Trending Articles

2025 Best Lawyers Awards Announced: Honoring Outstanding Legal Professionals Across the U.S.


by Jennifer Verta

Introducing the 31st edition of The Best Lawyers in America and the fifth edition of Best Lawyers: Ones to Watch in America.

Digital map of the United States illuminated by numerous bright lights

Unveiling the 2025 Best Lawyers Awards Canada: Celebrating Legal Excellence


by Jennifer Verta

Presenting the 19th edition of The Best Lawyers in Canada and the 4th edition of Best Lawyers: Ones to Watch in Canada.

Digital map of Canadathis on illuminated by numerous bright lights

Legal Distinction on Display: 15th Edition of The Best Lawyers in France™


by Best Lawyers

The industry’s best lawyers and firms working in France are revealed in the newly released, comprehensive the 15th Edition of The Best Lawyers in France™.

French flag in front of country's outline

Announcing the 13th Edition of Best Lawyers Rankings in the United Kingdom


by Best Lawyers

Best Lawyers is proud to announce the newest edition of legal rankings in the United Kingdom, marking the 13th consecutive edition of awards in the country.

British flag in front of country's outline

Announcing the 16th Edition of the Best Lawyers in Germany Rankings


by Best Lawyers

Best Lawyers announces the 16th edition of The Best Lawyers in Germany™, featuring a unique set of rankings that highlights Germany's top legal talent.

German flag in front of country's outline

Prop 36 California 2024: California’s Path to Stricter Sentencing and Criminal Justice Reform


by Jennifer Verta

Explore how Prop 36 could shape California's sentencing laws and justice reform.

Illustrated Hands Breaking Chains Against a Bright Red Background

Celebrating Excellence in Law: 11th Edition of Best Lawyers in Italy™


by Best Lawyers

Best Lawyers announces the 11th edition of The Best Lawyers in Italy™, which features an elite list of awards showcasing Italy's current legal talent.

Italian flag in front of country's outline

Combating Nuclear Verdicts: Empirically Supported Strategies to Deflate the Effects of Anchoring Bias


by Sloan L. Abernathy

Sometimes a verdict can be the difference between amicability and nuclear level developments. But what is anchoring bias and how can strategy combat this?

Lawyer speaking in courtroom with crowd and judge in the foreground

Things to Do Before a Car Accident Happens to You


by Ellie Shaffer

In a car accident, certain things are beyond the point of no return, while some are well within an individual's control. Here's how to stay legally prepared.

Car dashcam recording street ahead

The Push and Pitfalls of New York’s Attempt to Expand Wrongful Death Recovery


by Elizabeth M. Midgley and V. Christopher Potenza

The New York State Legislature recently went about updating certain wrongful death provisions and how they can be carried out in the future. Here's the latest.

Red tape blocking off a section of street

Tampa Appeals Court ‘Sends Clear Message,” Ensuring School Tax Referendum Stays on Ballot


by Gregory Sirico

Hillsborough County's tax referendum is back on the 2024 ballot, promising $177 million for schools and empowering residents to decide the future of education.

Graduation cap in air surrounded by pencils and money

Find the Best Lawyers for Your Needs


by Jennifer Verta

Discover how Best Lawyers simplifies the attorney search process.

A focused woman with dark hair wearing a green top and beige blazer, working on a tablet in a dimly

Key Developments and Trends in U.S. Commercial Litigation


by Justin Smulison

Whether it's multibillion-dollar water cleanliness verdicts or college athletes vying for the right to compensation, the state of litigation remains strong.

Basketball sits in front of stacks of money

Is Premises Liability the Same as Negligence?


by Jeremy Wilson and Taylor Rodney Marks

In today's age, we are always on the move, often inhabiting spaces we don't own. But what happens when someone else's property injures you or someone you know?

A pair of silhouetted legs falling down a hole with yellow background

Woman on a Mission


by Rebecca Blackwell

Baker Botts partner and intellectual property chair Christa Brown-Sanford discusses how she juggles work, personal life, being a mentor and leadership duties.

Woman in green dress crossing her arms and posing for headshot

Best Lawyers Celebrates Women in the Law: Ninth Edition


by Alliccia Odeyemi

Released in both print and digital form, Best Lawyers Ninth Edition of Women in the Law features stories of inspiring leadership and timely legal issues.

Lawyer in green dress stands with hands on table and cityscape in background