It is no secret that ransomware attacks have increased in sophistication and sheer numbers during the COVID-19 pandemic, but a silver bullet solution remains elusive.1 The government is attacking the problem in multiple ways. Most recently, on January 21, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) kicked off one of their priority campaigns for 2021, Reduce the Risk of Ransomware. As CISA’s efforts make clear, however, the government is looking to the private sector to take the lead on preventing these attacks.
In this article, we review the latest trends in the government’s efforts to combat ransomware and provide practical considerations general counsels should consider prior to an attack.
CISA Announces Ransomware Campaign for 2021
CISA’s new ransomware campaign is focused on “working collaboratively with our public and private sector partners” to increase threat sharing and cyber preparedness to prevent ransomware attacks. Pivoting off the recent increase in attacks, CISA is focusing initial efforts in this campaign on sectors and industries, like health care, that are vital to the nation’s COVID response. Additionally, CISA is establishing a one-stop Resource Center for information, best practices, and tools to combat ransomware. The Resource Center will have:
- Technical alerts and statements on the latest ransomware threats.
- Guidance and practical tips tailored for preventing ransomware attacks.
- Fact Sheets and infographics designed to help organizations and individuals better understand the threats from and the consequences of a ransomware attack.
- Training and webinars for both technical and non-technical audiences to increase overall awareness.
These resources may prove valuable, in particular the up-to-date threat advisories, but it remains clear that the burden will be on individual entities to take the lead in defending themselves.
The Government Increases Ransomware Activities
CISA’s Resource Center is just one part of the government’s fight against ransomware. The U.S. Department of Homeland Security (DHS) and the U.S. Department of Justice (DOJ), often working in conjunction, have targeted intelligence and enforcement activities against the threat actors. At the end of 2020, the FBI and CISA issued two sobering threat advisories warning that threat actors were targeting sectors and businesses critical to the COVID response with ransomware attacks. First, in October 2020, the FBI and CISA issued an alert warning that hospitals, health care providers, and public-health sector organizations were being targeted with strains of ransomware called Ryuk, Conti, and TrickBot. Soon thereafter, the FBI and CISA issued a second alert warning about ransomware threats to kindergarten through 12th-grade (K-12) educational institutions, with the specific intent to disrupt online learning and steal sensitive personal data.
In addition, the DOJ has shown an increased willingness to charge individuals and organizations even when jurisdictional limitations make arrests more challenging. The recently announced indictment of the NetWalker ransomware threat actors showcases the government’s capabilities. According to the DOJ, NetWalker was targeting, among others, health care organizations and hospitals in an effort to take advantage of the pandemic. The DOJ further alleged that the individual who was indicated had obtained at least $27.6 million as a result of the ransomware attacks. Of note, in addition to the criminal charges, the DOJ was able to seize “approximately $454,530.19 in cryptocurrency from ransom payments, and [disable] a dark web hidden resource used to communicate with NetWalker ransomware victims.” Even though the DOJ may not always be able to arrest individuals operating overseas, disrupting threat actors’ ability to profit may have real deterrence. These actions are welcome, and it would be encouraging to see more resources devoted to these challenging cases.
In contrast to the DOJ and DHS, the U.S. Treasury Department has focused on discouraging victim companies from paying ransoms to sanctioned individuals and entities. On October 1, 2020, the Office of Foreign Assets Control (OFAC) issued an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. (Available at: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf). The Advisory warned that any entity that makes or facilitates a ransomware payment to a sanctioned individual or entity could face civil liability – even if the victim company did not know the identity of the threat actor. This strict liability approach to ransomware payments makes it essential that victim companies take appropriate due diligence steps to minimize the risk that the threat actor is a sanctioned entity. OFAC does note that it will consider certain mitigations, most notably stating that “a company’s full and timely cooperation with law enforcement both during and after a ransomware attack [will] be a significant mitigating factor when evaluating a possible enforcement outcome.”
General counsels can take practical steps to prepare now
Preparing for a ransomware attack is not solely the responsibility of technical security teams. Legal departments can take practical steps now that will help facilitate an efficient response. We recommend that general counsels consider the following:
- Review cyber threat sharing. Companies have a variety of resources available, like the new CISA Resource Center, that provide threat intelligence. General counsels should look to understand what intelligence the company receives and whether additional relationships could expand that intelligence.
- Paying the ransom. Prior to an attack, companies may wish to consider the factors and stakeholders that will be part of the decision about paying a ransom. Important factors may include balancing the business need to pay the ransom, the likelihood that paying the ransom will result in obtaining decryption keys, and the desire to not reward criminals.
- Contacting law enforcement. Companies should know who they would contact in case of a ransomware attack and ideally should develop that relationship prior to an attack. Victim companies will find it essential to connect with law enforcement officials who understand the realities a business faces once attacked.
- Notification obligations. As with any cyberattack, victim companies should have an understanding of the potential regulatory and contractual notification requirements that may be triggered by a ransomware attack. In addition to legally mandated disclosures, companies should consider whether prudential notifications to key partners are appropriate.
- OFAC due diligence. Companies should understand the OFAC Advisory and the steps they can take to minimize the risk of violating sanctions should a payment be made.
- Payment logistics. Threat actors will demand payment in digital currency, usually bitcoin. The logistics of obtaining digital currencies in significant amounts may be challenging. Companies should understand whether they could readily do so if needed or if they may need outside assistance.
- Cyber Insurance. Many cyber insurance policies cover ransomware events and provide resources for responding to the attack. Counsel should understand these resources, whom to contact during an incident, and the requirements the carrier will have before they provide coverage.
- Working with technical teams. Should an attack occur, counsel will benefit by having an understanding of some of the technical considerations that are likely to arise, like what backups and recovery options may be available and what logging and monitoring tools are in place to evaluate the scope of the attack.
While recent efforts by the DOJ and CISA are encouraging, the private sector is clearly the first line of defense against ransomware attacks. General counsels can and should do more than trust that it won’t happen to them. These practical steps can help general counsels guide their company through a ransomware event and achieve as positive an outcome as possible.
1 For example, at the CISA Cyber Summit last fall, a federal law enforcement panel on ransomware reported that average ransom payments have been steadily increasing over the past several years, from tens of thousands of dollars to upwards of a million dollars.