On successive days last week, the Department of Justice (DOJ) unveiled enforcement actions against international cybercriminal organizations that utilized ransomware to infect computer systems and then extort payment, often in the form of cryptocurrency, from victims worldwide. First, the Criminal Division’s Computer Crime and Intellectual Property Section and the U.S. Attorney’s Office for the Middle District of Florida announced the unsealing of charges against a Canadian national for his alleged involvement in the ransomware scheme known as NetWalker that generated tens of millions of dollars from businesses, public entities, and individuals whose computer databases were encrypted and rendered useless, pending satisfaction of a ransom demand. The following day, the U.S. Attorney’s Office for the Middle District of North Carolina and the Criminal Division’s Computer Crime and Intellectual Property Section revealed their participation in a multinational enforcement operation that disrupted and dismantled Emotet, a botnet that utilized malware, including ransomware, to target critical infrastructure in the United States and abroad. These actions highlight U.S. law enforcement’s increased focus on preventing ransomware attacks, which in the future will rely on both traditional collaboration among international law enforcement agencies and reporting from private entities over which the government exercises regulatory control.
The NetWalker Indictment
According to DOJ’s press release, NetWalker applied the software-as-a-service model to ransomware to conduct 21st century corporate blackmail. Specifically, it joined together developers who built and maintained the ransomware with affiliates who deployed the program against the computer systems of high-value targets. Once a computer system was infected, NetWalker would unlock network protections and spread its encryption program throughout the network until it was capable of crippling the network through activation of this program. The victim company would then receive a ransom demand sent through the dark web site Tor advising it of both the amount of money that would have to be paid and the time by which the payment would have to be received for the encryption to be removed. Upon receipt of the ransom payment, which often was made with cryptocurrency, the developers and the affiliates would split the proceeds.
The NetWalker indictment charges a Canadian national who purportedly participated in this scheme with a broad array of charges, including conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer. It also seeks forfeiture of the more than $27.7 million in ransom payments this individual collected through this scheme. In addition to the indictment, Bulgarian authorities seized what authorities are referencing as a “dark web hidden resource” used by NetWalker affiliates to communicate ransom demands to victims.
The Dismantlement of Emotet
Emotet, as described within a DOJ search warrant affidavit, was a botnet that employed a family of malware to infect more than 1.6 million computers within the banking, e-commerce, healthcare, academia, government, and technology sectors within the past year. Importantly, as a botnet, its users could control all infected computers in a coordinated manner to steal data and to demand illicit payments from the impacted entities. Compounding the harm to the victim businesses is the cost to rid an infected system of Emotet, which the U.S. Cybersecurity & Infrastructure Agency (CISA) cited as approximately $1,000,000 per incident.
Ultimately, Emotet was dismantled when DOJ hacked the hackers. Law enforcement agencies in the United States, England, Canada, France, Germany and the Netherlands collaborated to surreptitiously install a file on Emotet servers that prevented Emotet from distributing malware or communicating with the infected computers. Law enforcement also seized an overseas server and identified numerous compromised host servers, often belonging to unknowing third parties, including over 20 based in the United States.
The Government’s Expanding Expectation of Private Monitoring and Enforcement
These two enforcement actions, while significant, highlight the challenges to law enforcement when combatting ransomware attacks on US businesses, which increased by 311% in 2020 from the prior year. Most servers are housed outside of the United States and require foreign collaboration to locate and dismantle; the cybercriminals utilize often unbreakable encryption programs; payment frequently involves largely untraceable cryptocurrency; and many of the extortionate communications are delivered over the largely impenetrable dark web. Notably, in an effort to exercise better control over the limited stages of the process that it does have insight into, the United States government has shifted some of the burden of tracking ransomware related activities to those businesses within the private sector over which it possesses regulatory authority. In October, the Financial Crimes Enforcement Network (FinCEN) released an advisory “to alert financial institutions to predominant trends, typologies, and potential indicators,” specifically as it pertains to ransomware payments processed through these businesses. As FinCEN noted, financial institutions play a “critical role” in the collection of ransom payments in that the victim typically transmits ransom payments via wire transfer or credit card payment processed by financial institutions that are then sent to a convertible virtual currency exchange before being deposited in the perpetrator’s account. FinCEN has reminded these entities that they are required to register with FinCEN, are subject to the monitoring and reporting requirements of the Bank Secrecy Act, and are required to file suspicious activity reports should they observe conduct consistent with ransomware payments. Likewise, the Office of Foreign Assets Control (OFAC) recently advised financial institutions that they could be subject to sanctions if they facilitate ransomware payments. Therefore, to both satisfy their legal obligations and to avoid the possibility that the U.S. government could find that a financial institution’s failure to adequately monitor and report such conduct gives rise to criminal or civil liability on behalf of the financial institution, all financial institutions should ensure that their AML programs are designed to identify the red flags evincing potential ransomware attacks and that there are sufficient controls in place to stop the payment of a ransom demand when detected.