On June 2, 2021, Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, published a rare open letter to the corporate executives and business leaders of private organizations about the significant threat of ransomware attacks. The letter comes in the wake of a recent string of ransomware attacks against various sectors of the U.S. economy, including, for example, the energy, banking, healthcare, and food processing sectors. The letter comes on the heels of President Biden’s Executive Order on Improving the Nation’s Cybersecurity which requires the federal government to adopt several new cybersecurity practices designed to protect the government from cybersecurity attacks. The federal government is also increasing enforcement efforts against bad actors using ransomware to disrupt the U.S. economy and announced on June 7, 2019, that that the Department of Justice seized millions of dollars in cryptocurrency arising from the ransomware incident involving the Colonial Pipeline incident.
The letter describes that the federal government has stepped up efforts to stop ransomware attacks, including increasing efforts to disrupt ransomware networks, working with international partners to hold foreign countries that harbor ransomware actors accountable, and developing more cohesive and consistent policies towards the payment of ransomware.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has also issued advisory guidance on the sanctions risks associated with ransomware payments for malicious cyber-enabled activities. Specifically, under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (persons) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria) among other transactions. Businesses considering paying the ransom to get back their data or to prevent public disclosure of their data should review this OFAC advisory guidance before making any ransomware payment because OFAC may impose civil penalties for sanctions based on strict liability – meaning your organization could be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under the OFAC sanctions laws (for publicly traded companies such liability could also spawn investor suits).
The letter also warns the private sector that it bears the responsibility to protect themselves against the threat of ransomware, pointing out that any company may become the target of a ransomware attack, regardless of the company’s size or location. The letter urges all companies to take the threat of ransomware seriously and adopt cybersecurity practices that match this threat. Accordingly, business leaders are encouraged to review the business’s overall cybersecurity posture, and business continuity plans to ensure that they can quickly restore operations in the event of a ransomware attack.
Further, businesses are urged to immediately take the following steps to focus efforts and rapidly progress towards reducing the risk of a ransomware attack:
- Implementing the best practices outlined in President Biden’s Executive Order on Improving the Nation’s Cybersecurity: These practices include: (a) the use of multi-factor authentication instead of relying on passwords alone; (b) the use of network detection and response technologies to actively detect and hunt for malicious activity on a network and stop it before it can damage the network or systems; (c) the use of encryption technology to minimize the damage if the ransomware not only holds data hostage through encryption but also exfiltrates the information to attempt to further extract a ransom by threatening to disclose sensitive information even when the data was restored from backups; and (d) use an appropriately qualified system security team that monitors available information for new threats and that appropriately patches and maintains the business’s IT systems to protect against these threats.
- Backup system images, configurations, and data to offline storage and regularly test these backups: Ransomware will regularly try to encrypt and delete backups accessible from the business network. Accordingly, backups should be stored offline where they cannot be reached in a ransomware attack that encrypts the business’s IT systems. Furthermore, businesses are advised to regularly test whether the backups are sufficient to restore the system in the event of an attack.
- Promptly patch and update systems: As new vulnerabilities are discovered, patching is a critical component in protecting against ransomware attacks. Organizations should consider a patch management system and use a risk-based assessment strategy to determine when to patch operating systems, applications, and firmware.
- Test incident response plans: Businesses should have an incident response plan and test it regularly through tabletop simulations to uncover and address any gaps in the plan. When reviewing the incident response plan, the business should ask itself several core questions, including (a) what systems are critical to continuing business operations; (b) how long can the business continue operations without specific systems; and (c) would the business be forced to discontinue manufacturing operations if specific business systems were affected by a ransomware attack (such as billing). The business should then adjust the incident response plan as appropriate.
- Check the security team’s work: Companies should test their systems’ security through penetration testing and other vulnerability testing.
- Network segmentation: Ransomware attacks can steal data and disrupt operations. For businesses that engage in manufacturing and production operations, ransomware attacks can significantly impact if ransomware can get to the systems that control manufacturing and production. The letter recommends that the computer networks that control manufacturing and production operations be separated from the networks used for corporate business functions and that businesses identify the links between these networks and carefully filter and limit internet access between these networks. This will help ensure that the manufacturing and production network can be isolated and that manufacturing and production operations continue if the corporate network is isolated. Businesses should regularly test contingency plans such as manual controls to ensure that functions that are critical to safety can be maintained during a ransomware attack.
Businesses should note that the above OFAC guidance is likely to be considered the standard best practices applied in any civil action following a ransomware attack to determine if the company met its general standard of care.
Additional Cybersecurity Resources for Businesses
The Cybersecurity & Infrastructure Security Agency (CISA) and other U.S. government organizations have several resources to assist companies in protecting against ransomware attacks, including:
In addition, the Department of Health and Human Services has published some additional ransomware resources for organizations in the healthcare sector.
Although protecting against ransomware is an essential part of a business’s cybersecurity strategy, businesses should realize that ransomware is one of the types of cybersecurity threats that businesses face. For example, the traditional ransomware attack that holds a business’s information hostage is now often combined with exfiltration of the information such that even if a business can quickly recover encrypted systems from backups, it risks the disclosure of sensitive business and personal information. Businesses are therefore encouraged to adopt a comprehensive cybersecurity strategy that is appropriate to the risks it faces.