Insight

An Allied Front Against Ransomware

With the world ever more digitally entwined—particularly as the pandemic has increasingly driven commerce and ordinary business activity more fully online—the threat of ransomware is here to stay. Here’s a primer on the federal government’s response and how the private sector can help.

Federal Government’s Response to Ransomware
Patricia Brown Holmes

Patricia Brown Holmes, Abigail L. Peluso, Georgia N. Alexakis and John K. Theis

November 4, 2021 06:40 AM

Ransomware attacks have been a mainstay of the 2021 news cycle. As the federal government’s recent actions reflect, there is no sign that these cyberattacks—in which hackers infiltrate an organization’s systems, lock victims out and demand millions of dollars to let them back in—will disappear anytime soon.

In just the past year, ransomware attacks shut down the Colonial Pipeline, shuttered meat processing plants, forced a Swedish grocery chain to close 800 stores for a day, caused Howard University to suspend classes for two days and exposed a Florida town to potentially poisonous drinking water.

According to Cybersecurity Ventures, a research firm, global ransomware damages will amount to more than $20 billion in 2021, up from just $5 billion in 2017. The federal government estimates that “roughly $350 million in ransom was paid to malicious cyber actors in 2020, a more than 300 percent increase from the previous year.” The Treasury Department recently noted that in the first six months of 2021, approximately $600 million in reported transactions were linked to possible ransomware payments.

Other ransomware attacks cause incalculable losses. In a recent Alabama lawsuit, a mother alleges that as a direct result of a ransomware attack on the hospital in which she gave birth, her daughter was born with severe brain damage and died just nine months later. According to the complaint, the attack hampered nurses’ ability to monitor fetal heartbeats, leading the delivery team to miss warning signs that the child, born with the umbilical cord wrapped around her neck, was in serious distress.

Business leaders cannot delegate full management of cyber risk to technical professionals. Cybersecurity is a board-level responsibility, and executives must pay particular attention to the unique risk ransomware entails. To protect consumers, ensure operational continuity and avoid reputational damage, organizations must appreciate mounting regulatory expectations and take steps to bolster the technical safeguards that protect their systems.

The Federal Response

In 2021, the U.S. government increased its efforts to combat ransomware attacks. Each tactic makes clear that the government will do all it can to stem such attacks, but it necessarily relies on the private sector to help.

New initiatives emphasize “shared responsibility”: This past June 2, the White House issued an open letter to private-sector executives stressing the seriousness of the ransomware threat, urging companies to do their part to mitigate the danger and providing a list of best practices to protect data and ensure an effective incident-response plan.

The next day, the Department of Justice announced the centralization of its internal tracking of all ransomware cases, building on its earlier launch of a Ransomware and Digital Extortion Task Force—which elevated ransomware investigations to the same priority level as those regarding terrorism. Speaking to the Wall Street Journal, FBI director Christopher A. Wray noted that “[t]here’s a shared responsibility, not just across government agencies but across the private sector and even the average American.”

Six weeks later, on July 15, the federal government launched stopransomware.gov, a consolidated online resource. Attorney General Merrick B. Garland emphasized that it “is critical for business leaders across industries to recognize the threat, prioritize efforts to harden their systems and work with law enforcement by reporting these attacks promptly.”

In early October, to continue to pressure compliance with cybersecurity protocols, the DOJ announced a new Civil Cyber-Fraud Initiative and a National Cryptocurrency Enforcement Team. The former will use the False Claims Act to pursue cybersecurity-related fraud, including failure to follow required cybersecurity standards, by government contractors and grant recipients. The latter will work to recover lost assets, including cryptocurrency payments made to ransomware groups.

In mid-October, OFAC provided updated guidance on compliance best practices for private companies that may have exposure to virtual currencies or their service providers, aimed at promoting “compliance with sanctions requirements.”

Successful prosecutions following a private-sector security breach: In consultation with outside counsel, companies should consider a referral to laws enforcement when faced with a cyberattack. Successful ransomware-related prosecutions can be difficult; perpetrators often reside outside the bounds of U.S. jurisdiction and extradition ability. Nonetheless, the government recently filed charges or seized assets related to ransomware attacks:

  • On June 4, a Latvian national was arraigned in federal court in Ohio on charges stemming from her alleged role in a transnational cybercrime organization responsible for creating and deploying a computer-banking Trojan and ransomware suite for malware.
  • On June 7, the DOJ announced the seizure of 63.7 bitcoins, then valued at approximately $2.3 million, representing proceeds from the ransom payment associated with the Colonial Pipeline attack.
  • On June 16, a Russian national was convicted after a trial in federal court in Connecticut for helping operate a “crypting” service used to conceal malware from antivirus software, thereby “enabling hackers to systemically infect victim computers around the world with . . . ransomware,” according to the U.S. Attorney’s office in the Connecticut district. The same day, an Estonian national pleaded guilty to a federal charge related to his role in operating the same service

OFAC advisory to private companies: Finally, on September 21, the Office of Foreign Assets Control (OFAC) issued an advisory highlighting the risk entities face when making ransomware payments to cyber actors included on OFAC’s list of Specially Designated Nationals (SDNs) and Blocked Persons.

Americans are generally prohibited from entering into transactions with SDNs. Also in September, OFAC designated the virtual currency exchange SUEX as an SDN—the first such exchange to earn this dubious honor. According to OFAC, SUEX facilitated financial transactions for ransomware actors. American companies are now prohibited from engaging in “transactions, directly or indirectly” with SUEX, and OFAC may impose civil penalties based on strict liability alone. There is no “ransomware exception” to this prohibition.

Payments to ransomware attackers carry a host of other risks, including potential liability under the Foreign Corrupt Practices Act, the International Emergency Economic Powers Act and the Trading with the Enemy Act. Companies must carefully consider the consequences of any payments they might be tempted to make.

What the Private Sector Can Do

There are several concrete things businesses can do to comply with regulatory expectations and mitigate the risk of a ransomware attack.

Enhance cyber defenses: The White House’s open letter urged companies to take a number of steps to combat the threat, and rightly so. The Colonial Pipeline attack exposed weaknesses in the company’s security protocols, disrupting gasoline delivery across a large swath of the eastern U.S. Some reports indicated that the attack was the result of a single compromised password. To avoid becoming the next ransomware headline, companies should continually consult with third-party experts to assess and test their defenses.

Incorporate ransomware risk into compliance programs: Every well-designed compliance program requires a thorough analysis of the risks a company faces—and ransomware should be front and center. In addition to information security being a component of periodic compliance assessments generally, organizations should consider retaining independent technical assistance to enhance and test it.

Closely monitor future federal action: If the past six months are any indication, the U.S. government will continue to bolster its efforts against ransomware attacks. Companies and other organizations should monitor federal guidance and regulatory activity to ensure they’re meeting government expectations and are prepared for future attacks.

In short, the government and private sector can—and should—be allies in the fight against rising ransomware. A coordinated approach will boost cyber-defenses and deter a common enemy.

Abigail L. Peluso is a partner at Riley Safer Holmes & Cancila LLP and previously served as Assistant United States Attorney in the U.S. Attorney’s Office for the Northern District of Illinois, where she prosecuted transnational actors.

Georgia N. Alexakis is a partner at Riley Safer Holmes & Cancila LLP and previously served as Assistant United States Attorney in the U.S. Attorney’s Office for the Northern District of Illinois, where she investigated and prosecuted cybercrimes and helped secure the convictions of individuals who violated laws and regulations prohibiting economic transactions with SDNs.

John K. Theis is a partner at Riley Safer Holmes & Cancila LLP and previously served as Associate White House Counsel and a Department of Justice trial lawyer.

Patricia Brown Holmes is the managing partner of Riley Safer Holmes & Cancila and focuses her practice on high-stakes commercial litigation, crisis management, white collar crime, and legal counseling. Patricia is the first African-American woman to lead and have her name on the door of a major law firm that is not women- or minority-owned.

Related Articles

Hybrid Work - A Path for Female Lawyers


by Roberta Liebenberg

Remote work, flex time, some combination of both, all the rest of the pandemic’s new office normal: mere hype, or finally a meaningful option for female lawyers?

Remote Work Becoming Vital for Female Lawyers

Navigating the New Normal


by Jody E. Briandi

The pandemic has upended many law firms’ internal culture and their lawyers’ work habits, in many ways for the better. As we approach 2022, how can we consolidate those positive effects to transform the practice of law (and our personal lives) for the better?

Work Habits Affected by the Pandemic

And Justice for All


by Harry M. Reasoner

Equal opportunity for justice before impartial law is a supposed bedrock of American citizenship. All too often, though, that noble ideal is honored more in the breach than the observance. The legal profession, and the country, must simply do better.

Legal Justice for All Americans is Lacking

Bidding Wars: Understanding Federal Bid Protests


by Lori Ann Lange

Federal government contracting can be convoluted. Here’s a primer on filing a bid protest for parties who think they’ve been wronged.

Filing Big Protest with Federal Government

Targeted Cyber Attacks Are Rapidly Increasing in 2019


by James L. Pray

Targeted cyber attacks, spear-phishing attacks, and ransomware attacks are increasing and could put your business's security on the line.

Cyber Attacks Are Increasing

Trending Articles

How Palworld Is Testing the Limits of Nintendo’s Legal Power


by Gregory Sirico

Many are calling the new game Palworld “Pokémon GO with guns,” noting the games striking similarities. Experts speculate how Nintendo could take legal action.

Animated figures with guns stand on top of creatures

Announcing the 2023 The Best Lawyers in America Honorees


by Best Lawyers

Only the top 5.3% of all practicing lawyers in the U.S. were selected by their peers for inclusion in the 29th edition of The Best Lawyers in America®.

Gold strings and dots connecting to form US map

The U.S. Best Lawyers Voting Season Is Open


by Best Lawyers

The voting season for the 31st edition of The Best Lawyers in America® and the 5th edition of Best Lawyers: Ones to Watch® in America is officially underway, and we are offering some helpful advice to this year’s voters.

Golden figures of people standing on blue surface connected by white lines

Announcing the 2022 Best Lawyers® in the United States


by Best Lawyers

The results include an elite field of top lawyers listed in the 28th Edition of The Best Lawyers in America® and in the 2nd Edition of Best Lawyers: Ones to Watch in America for 2022.

2022 Best Lawyers Listings for United States

How To Find A Pro Bono Lawyer


by Best Lawyers

Best Lawyers dives into the vital role pro bono lawyers play in ensuring access to justice for all and the transformative impact they have on communities.

Hands joined around a table with phone, paper, pen and glasses

What the Courts Say About Recording in the Classroom


by Christina Henagen Peer and Peter Zawadski

Students and parents are increasingly asking to use audio devices to record what's being said in the classroom. But is it legal? A recent ruling offer gives the answer to a question confusing parents and administrators alike.

Is It Legal for Students to Record Teachers?

2021 Best Lawyers: The Global Issue


by Best Lawyers

The 2021 Global Issue features top legal talent from the most recent editions of Best Lawyers and Best Lawyers: Ones to Watch worldwide.

2021 Best Lawyers: The Global Issue

Best Lawyers: Ones to Watch in America for 2023


by Best Lawyers

The third edition of Best Lawyers: Ones to Watch in America™ highlights the legal talent of lawyers who have been in practice less than 10 years.

Three arrows made of lines and dots on blue background

The Upcycle Conundrum


by Karen Kreider Gaunt

Laudable or litigious? What you need to know about potential copyright and trademark infringement when repurposing products.

Repurposed Products and Copyright Infringemen

The Best Lawyers in Australia™ 2024 Launch


by Best Lawyers

Best Lawyers is excited to announce The Best Lawyers in Australia™ for 2023, including the top lawyers and law firms from Australia.

Australian Parliament beside water at sunset

Best Lawyers Voting Is Now Open


by Best Lawyers

Voting has begun in several countries across the globe, including the United States, the United Kingdom and Europe. Below we offer dates, details and answers to voting-related questions to assist with the voting process.

Hands holding smartphone with five stars above phone

Inflation Escalation


by Ashley S. Wagner

Inflation and rising costs are at the forefront of everyone’s mind as we enter 2023. The current volatile market makes it more important than ever to understand the rent escalation clauses in current and future commercial lease agreements.

Suited figure in front of rising market and inflated balloon

Wage and Overtime Laws for Truck Drivers


by Greg Mansell

For truck drivers nationwide, underpayment and overtime violations are just the beginning of a long list of problems. Below we explore the wages you are entitled to but may not be receiving.

Truck Driver Wage and Overtime Laws in the US

A Celebration of Excellence: The Best Lawyers in Canada 2024 Awards


by Best Lawyers

As we embark on the 18th edition of The Best Lawyers in Canada™, we are excited to highlight excellence and top legal talent across the country.

Abstract image of red and white Canada flag in triangles

Announcing The Best Lawyers in South Africa™ 2024


by Best Lawyers

Best Lawyers is excited to announce the landmark 15th edition of The Best Lawyers in South Africa™ for 2024, including the exclusive "Law Firm of the Year" awards.

Sky view of South Africa town and waterways

Presenting the 2024 Best Lawyers Family Law Legal Guide


by Best Lawyers

The 2024 Best Lawyers Family Law Legal Guide is now live and includes recognitions for all Best Lawyers family law awards. Read below and explore the legal guide.

Man entering home and hugging two children in doorway