Two weeks ago, the Department of Justice (“DOJ”) announced two significant enforcement actions and shut down NetWalker and Emotet, powerful tools that had been used by alleged criminal networks engaging in widespread ransomware extortion schemes. These efforts highlight law enforcement’s focus on ransomware attacks and the growing cybersecurity risks faced by companies of all sizes, and they also demonstrate the increasing need for companies to design and implement effective incident response plans and cybersecurity programs before a problem surfaces. In addition, law enforcement and regulators are now pressuring financial institutions, cyber insurance companies, digital forensic agencies, and other entities involved in ransomware responses to report ransomware payments when they are found, and companies now face higher premiums and shoulder more risk as ransomware attacks escalate.

DOJ’s Efforts to Stop the Dangerous Contagion

Ransomware is on the rise, damaging the finances of more and more companies and individuals. According to data compiled by Chainalysis,¹ and consistent with Interpol’s April 2020 heightened threat alert that was directed to hospitals, school districts, and other institutions directly affected by the COVID-19 pandemic, payments by ransomware victims increased 311% in 2020. As we noted in October 2020, after the Attorney General’s Cyber-Digital Task Force issued its Cryptocurrency Enforcement Framework, the government has noticed this rise and in the last week of January, DOJ announced two important new prosecutions targeting this threat.

On January 27, 2021, the United States Attorney’s Office for the Middle District of Florida unsealed a criminal indictment against Sebastien Vachon-Desjardins for alleged conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer,² stemming from Vachon-Desjardins’ alleged $27 million extortion scheme executed through a tool called NetWalker. NetWalker involves the use of a Ransomware-as-a-Service (“RaaS”) model involving a sophisticated network of criminal coconspirators, including developers who design malicious software for use in ransomware attacks, and their affiliates who contract for use of the ransomware to identify victims and access their data to extort payments from the targets.³ In a typical NetWalker scheme, a criminal organization uses a RaaS to create partnerships and engage in “double extortion schemes” whereby hackers remove sensitive data, encrypt the data, demand ransom from the victim, and then threaten to publish or sell the stolen data if ransom is not paid. According to Chainalysis, Netwalker has affected at least 203 victims in the U.S. and 102 victims in 27 different countries.

The following day, January 28, 2021, DOJ announced a second and even larger cyber takedown. According to DOJ’s press release, the Federal Bureau of Investigation (“FBI”) working alongside law enforcement authorities in Canada, France, Germany, the Netherlands, the United Kingdom, Lithuania, Sweden, and Ukraine shut down Emotet, a “family of malware” that became “one of the top cyber threats in the world” by deploying a different two-pronged botnet attack on multiple IP addresses in more than 50 countries, resulting in the infection of “hundreds of thousands of computers throughout the United States, including our critical infrastructure, and caused millions of dollars in damage to victims worldwide.” Like an asymptomatic virus, Emotet infected victim computers through phishing email messages designed to appear to come from a legitimate sender that contained malicious attachments or hyperlinks and allowed hackers to access victims’ computers and deliver malware, without the device owners’ knowledge. Since 2017 Emotet has infected a North Carolina school district, various corporations, as well as local, state, tribal, and federal governmental networks throughout the United States and around the world.

Other Regulatory Efforts to Stop the Spread

Ransomware dramatically impacts companies and individuals who fall victim to an attack. In October 2020, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) got in on the cyber fight when it warned that strict liability could attach to enabling institutions – such as banks, insurance companies, and other types of incident response agencies – that are deemed to have facilitated direct or indirect payments to individuals or countries that are subject to sanctions by OFAC. As a result of these developments, which we previously discussed, a person or entity subject to U.S. jurisdiction may be held civilly liable “even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.” Companies now must carefully consider the heightened risk of paying a ransom to an unknown individual because that person may be a Specially Designated National or sanctioned person by OFAC.

In an advisory intended for Chief Executive Officers, Chief Compliance Officers, Chief Information Officers, and other executives, Treasury’s Financial Crimes Enforcement Network (“FinCEN”) also highlighted that financial institutions are required to file Suspicious Activity Reports if they know, suspect, or have a reason to suspect that a transaction aggregates to $5,000 ($2,000 for money services businesses) and (i) involves funds derived from illegal activity, (ii) is designed to evade Bank Secrecy Act regulations, (iii) lacks a business or apparent lawful purpose, or (iv) involves the use of the financial institution to facilitate criminal activity. The advisory emphasized that attempted ransom payments qualify as reportable activity.

While we recently explained how important it is for in-house counsel to always think carefully about disclosing an attack on sensitive information by hackers, those confronted with a ransomware demand must also recognize the heightened risk of making a ransomware payment. Despite a corporate victim’s interest in wanting to keep a cybersecurity breach under wraps, both the OFAC and FinCEN advisories now emphasize the government’s expectation that a cybersecurity victim will report the breach to facilitate the government’s efforts to combat cybercrime. To incentivize reporting, OFAC’s Enforcement Guidelines consider a company’s self-initiated, full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.

The Immunization Strategy

In the past, many operated under the assumption that cyber criminals mostly targeted large companies with deep pockets that the criminals believe are more likely to make an exorbitant ransom payment. However, recent history shows that smaller companies, local governmental agencies, hospitals, and even school districts may be more vulnerable targets, as they have fewer resources to invest in sophisticated cyber protection tools. While all institutions should construct a comprehensive incident response plan⁴ that assesses contingencies and outlines a strategic reporting methodology to implement once a crisis presents, outside companies involved in helping a victim’s response also need to be aware of their regulatory obligations under FinCEN and OFAC regulations. Given the increased and overlapping regulatory framework, however, the time to act to prepare for such an event is now, before a crisis occurs. Companies and individuals who are prone to a cyberattack — i.e., everybody — should begin to design and implement a cyber-response strategy and develop a plan to detect and respond to an incident when it occurs.

Incident Response Plan Elements – a non-exhaustive starting point:

• Gather a diverse team of lawyers with regulatory expertise and insurance knowledge, digital forensics analysts, and conflict managers;
• Create a reporting flowchart that delegates responsibility and includes conditions for reporting up to the board of directors and out to authorities;
• Implement a defensive strategy of storing backups of critical data offsite at co-location facilities;
• Maintain a library of ransomware-related information, including current OFAC and FinCEN regulations, information from Information and Analysis Sharing Centers (ISACs) and InfraGard, and any other applicable authority related to your business;
• Designate members of the response team to create ready access to template Suspicious Activity Reports to file if necessary;
• Involve in-house or outside public relations professionals to ensure a consistent message among the lawyers reporting to regulatory authorities and team members that are speaking to customers and the public; and
• Launch a training program with experiential elements, such as fake phishing schemes that heighten employees’ awareness of suspicious email traffic.

¹ Chainalysis licenses tools used to track transfers of digital currency.

² 8 U.S.C. §§ 371, 1349, 1343, 1030.

³ https://www.law360.com/whitecollar/articles/1349315/feds-say-canadian-extorted-27m-from-ransomware-victims?nl_pk=1372e1ff-4dd0-4ee0-bc2d-6a9cca44e26a&utm_source=newsletter&utm_medium=email&utm_campaign=whitecollar.

⁴ See Devika Kornbacher, “The Right Stuff: Building an Effective Cybersecurity Incident Response Team,” Law.com Inside Counsel, October 17, 2017, https://www.law.com/insidecounsel/sites/insidecounsel/2017/10/17/the-right-stuff-building-an-effective-cybersecurity-incident-response-team/?slreturn=20210110150703.