Ransomware attacks have been a mainstay of the 2021 news cycle. As the federal government’s recent actions reflect, there is no sign that these cyberattacks—in which hackers infiltrate an organization’s systems, lock victims out and demand millions of dollars to let them back in—will disappear anytime soon.
In just the past year, ransomware attacks shut down the Colonial Pipeline, shuttered meat processing plants, forced a Swedish grocery chain to close 800 stores for a day, caused Howard University to suspend classes for two days and exposed a Florida town to potentially poisonous drinking water.
According to Cybersecurity Ventures, a research firm, global ransomware damages will amount to more than $20 billion in 2021, up from just $5 billion in 2017. The federal government estimates that “roughly $350 million in ransom was paid to malicious cyber actors in 2020, a more than 300 percent increase from the previous year.” The Treasury Department recently noted that in the first six months of 2021, approximately $600 million in reported transactions were linked to possible ransomware payments.
Other ransomware attacks cause incalculable losses. In a recent Alabama lawsuit, a mother alleges that as a direct result of a ransomware attack on the hospital in which she gave birth, her daughter was born with severe brain damage and died just nine months later. According to the complaint, the attack hampered nurses’ ability to monitor fetal heartbeats, leading the delivery team to miss warning signs that the child, born with the umbilical cord wrapped around her neck, was in serious distress.
Business leaders cannot delegate full management of cyber risk to technical professionals. Cybersecurity is a board-level responsibility, and executives must pay particular attention to the unique risk ransomware entails. To protect consumers, ensure operational continuity and avoid reputational damage, organizations must appreciate mounting regulatory expectations and take steps to bolster the technical safeguards that protect their systems.
The Federal Response
In 2021, the U.S. government increased its efforts to combat ransomware attacks. Each tactic makes clear that the government will do all it can to stem such attacks, but it necessarily relies on the private sector to help.
New initiatives emphasize “shared responsibility”: This past June 2, the White House issued an open letter to private-sector executives stressing the seriousness of the ransomware threat, urging companies to do their part to mitigate the danger and providing a list of best practices to protect data and ensure an effective incident-response plan.
The next day, the Department of Justice announced the centralization of its internal tracking of all ransomware cases, building on its earlier launch of a Ransomware and Digital Extortion Task Force—which elevated ransomware investigations to the same priority level as those regarding terrorism. Speaking to the Wall Street Journal, FBI director Christopher A. Wray noted that “[t]here’s a shared responsibility, not just across government agencies but across the private sector and even the average American.”
Six weeks later, on July 15, the federal government launched stopransomware.gov, a consolidated online resource. Attorney General Merrick B. Garland emphasized that it “is critical for business leaders across industries to recognize the threat, prioritize efforts to harden their systems and work with law enforcement by reporting these attacks promptly.”
In early October, to continue to pressure compliance with cybersecurity protocols, the DOJ announced a new Civil Cyber-Fraud Initiative and a National Cryptocurrency Enforcement Team. The former will use the False Claims Act to pursue cybersecurity-related fraud, including failure to follow required cybersecurity standards, by government contractors and grant recipients. The latter will work to recover lost assets, including cryptocurrency payments made to ransomware groups.
In mid-October, OFAC provided updated guidance on compliance best practices for private companies that may have exposure to virtual currencies or their service providers, aimed at promoting “compliance with sanctions requirements.”
Successful prosecutions following a private-sector security breach: In consultation with outside counsel, companies should consider a referral to laws enforcement when faced with a cyberattack. Successful ransomware-related prosecutions can be difficult; perpetrators often reside outside the bounds of U.S. jurisdiction and extradition ability. Nonetheless, the government recently filed charges or seized assets related to ransomware attacks:
- On June 4, a Latvian national was arraigned in federal court in Ohio on charges stemming from her alleged role in a transnational cybercrime organization responsible for creating and deploying a computer-banking Trojan and ransomware suite for malware.
- On June 7, the DOJ announced the seizure of 63.7 bitcoins, then valued at approximately $2.3 million, representing proceeds from the ransom payment associated with the Colonial Pipeline attack.
- On June 16, a Russian national was convicted after a trial in federal court in Connecticut for helping operate a “crypting” service used to conceal malware from antivirus software, thereby “enabling hackers to systemically infect victim computers around the world with . . . ransomware,” according to the U.S. Attorney’s office in the Connecticut district. The same day, an Estonian national pleaded guilty to a federal charge related to his role in operating the same service
OFAC advisory to private companies: Finally, on September 21, the Office of Foreign Assets Control (OFAC) issued an advisory highlighting the risk entities face when making ransomware payments to cyber actors included on OFAC’s list of Specially Designated Nationals (SDNs) and Blocked Persons.
Americans are generally prohibited from entering into transactions with SDNs. Also in September, OFAC designated the virtual currency exchange SUEX as an SDN—the first such exchange to earn this dubious honor. According to OFAC, SUEX facilitated financial transactions for ransomware actors. American companies are now prohibited from engaging in “transactions, directly or indirectly” with SUEX, and OFAC may impose civil penalties based on strict liability alone. There is no “ransomware exception” to this prohibition.
Payments to ransomware attackers carry a host of other risks, including potential liability under the Foreign Corrupt Practices Act, the International Emergency Economic Powers Act and the Trading with the Enemy Act. Companies must carefully consider the consequences of any payments they might be tempted to make.
What the Private Sector Can Do
There are several concrete things businesses can do to comply with regulatory expectations and mitigate the risk of a ransomware attack.
Enhance cyber defenses: The White House’s open letter urged companies to take a number of steps to combat the threat, and rightly so. The Colonial Pipeline attack exposed weaknesses in the company’s security protocols, disrupting gasoline delivery across a large swath of the eastern U.S. Some reports indicated that the attack was the result of a single compromised password. To avoid becoming the next ransomware headline, companies should continually consult with third-party experts to assess and test their defenses.
Incorporate ransomware risk into compliance programs: Every well-designed compliance program requires a thorough analysis of the risks a company faces—and ransomware should be front and center. In addition to information security being a component of periodic compliance assessments generally, organizations should consider retaining independent technical assistance to enhance and test it.
Closely monitor future federal action: If the past six months are any indication, the U.S. government will continue to bolster its efforts against ransomware attacks. Companies and other organizations should monitor federal guidance and regulatory activity to ensure they’re meeting government expectations and are prepared for future attacks.
In short, the government and private sector can—and should—be allies in the fight against rising ransomware. A coordinated approach will boost cyber-defenses and deter a common enemy.
Abigail L. Peluso is a partner at Riley Safer Holmes & Cancila LLP and previously served as Assistant United States Attorney in the U.S. Attorney’s Office for the Northern District of Illinois, where she prosecuted transnational actors.
Georgia N. Alexakis is a partner at Riley Safer Holmes & Cancila LLP and previously served as Assistant United States Attorney in the U.S. Attorney’s Office for the Northern District of Illinois, where she investigated and prosecuted cybercrimes and helped secure the convictions of individuals who violated laws and regulations prohibiting economic transactions with SDNs.
John K. Theis is a partner at Riley Safer Holmes & Cancila LLP and previously served as Associate White House Counsel and a Department of Justice trial lawyer.
Patricia Brown Holmes is the managing partner of Riley Safer Holmes & Cancila and focuses her practice on high-stakes commercial litigation, crisis management, white collar crime, and legal counseling. Patricia is the first African-American woman to lead and have her name on the door of a major law firm that is not women- or minority-owned.