An Allied Front Against Ransomware

With the world ever more digitally entwined—particularly as the pandemic has increasingly driven commerce and ordinary business activity more fully online—the threat of ransomware is here to stay. Here’s a primer on the federal government’s response and how the private sector can help.

Federal Government’s Response to Ransomware
Patricia Brown Holmes

Patricia Brown Holmes, Abigail L. Peluso, Georgia N. Alexakis and John K. Theis

November 4, 2021 06:40 AM

Ransomware attacks have been a mainstay of the 2021 news cycle. As the federal government’s recent actions reflect, there is no sign that these cyberattacks—in which hackers infiltrate an organization’s systems, lock victims out and demand millions of dollars to let them back in—will disappear anytime soon.

In just the past year, ransomware attacks shut down the Colonial Pipeline, shuttered meat processing plants, forced a Swedish grocery chain to close 800 stores for a day, caused Howard University to suspend classes for two days and exposed a Florida town to potentially poisonous drinking water.

According to Cybersecurity Ventures, a research firm, global ransomware damages will amount to more than $20 billion in 2021, up from just $5 billion in 2017. The federal government estimates that “roughly $350 million in ransom was paid to malicious cyber actors in 2020, a more than 300 percent increase from the previous year.” The Treasury Department recently noted that in the first six months of 2021, approximately $600 million in reported transactions were linked to possible ransomware payments.

Other ransomware attacks cause incalculable losses. In a recent Alabama lawsuit, a mother alleges that as a direct result of a ransomware attack on the hospital in which she gave birth, her daughter was born with severe brain damage and died just nine months later. According to the complaint, the attack hampered nurses’ ability to monitor fetal heartbeats, leading the delivery team to miss warning signs that the child, born with the umbilical cord wrapped around her neck, was in serious distress.

Business leaders cannot delegate full management of cyber risk to technical professionals. Cybersecurity is a board-level responsibility, and executives must pay particular attention to the unique risk ransomware entails. To protect consumers, ensure operational continuity and avoid reputational damage, organizations must appreciate mounting regulatory expectations and take steps to bolster the technical safeguards that protect their systems.

The Federal Response

In 2021, the U.S. government increased its efforts to combat ransomware attacks. Each tactic makes clear that the government will do all it can to stem such attacks, but it necessarily relies on the private sector to help.

New initiatives emphasize “shared responsibility”: This past June 2, the White House issued an open letter to private-sector executives stressing the seriousness of the ransomware threat, urging companies to do their part to mitigate the danger and providing a list of best practices to protect data and ensure an effective incident-response plan.

The next day, the Department of Justice announced the centralization of its internal tracking of all ransomware cases, building on its earlier launch of a Ransomware and Digital Extortion Task Force—which elevated ransomware investigations to the same priority level as those regarding terrorism. Speaking to the Wall Street Journal, FBI director Christopher A. Wray noted that “[t]here’s a shared responsibility, not just across government agencies but across the private sector and even the average American.”

Six weeks later, on July 15, the federal government launched, a consolidated online resource. Attorney General Merrick B. Garland emphasized that it “is critical for business leaders across industries to recognize the threat, prioritize efforts to harden their systems and work with law enforcement by reporting these attacks promptly.”

In early October, to continue to pressure compliance with cybersecurity protocols, the DOJ announced a new Civil Cyber-Fraud Initiative and a National Cryptocurrency Enforcement Team. The former will use the False Claims Act to pursue cybersecurity-related fraud, including failure to follow required cybersecurity standards, by government contractors and grant recipients. The latter will work to recover lost assets, including cryptocurrency payments made to ransomware groups.

In mid-October, OFAC provided updated guidance on compliance best practices for private companies that may have exposure to virtual currencies or their service providers, aimed at promoting “compliance with sanctions requirements.”

Successful prosecutions following a private-sector security breach: In consultation with outside counsel, companies should consider a referral to laws enforcement when faced with a cyberattack. Successful ransomware-related prosecutions can be difficult; perpetrators often reside outside the bounds of U.S. jurisdiction and extradition ability. Nonetheless, the government recently filed charges or seized assets related to ransomware attacks:

  • On June 4, a Latvian national was arraigned in federal court in Ohio on charges stemming from her alleged role in a transnational cybercrime organization responsible for creating and deploying a computer-banking Trojan and ransomware suite for malware.
  • On June 7, the DOJ announced the seizure of 63.7 bitcoins, then valued at approximately $2.3 million, representing proceeds from the ransom payment associated with the Colonial Pipeline attack.
  • On June 16, a Russian national was convicted after a trial in federal court in Connecticut for helping operate a “crypting” service used to conceal malware from antivirus software, thereby “enabling hackers to systemically infect victim computers around the world with . . . ransomware,” according to the U.S. Attorney’s office in the Connecticut district. The same day, an Estonian national pleaded guilty to a federal charge related to his role in operating the same service

OFAC advisory to private companies: Finally, on September 21, the Office of Foreign Assets Control (OFAC) issued an advisory highlighting the risk entities face when making ransomware payments to cyber actors included on OFAC’s list of Specially Designated Nationals (SDNs) and Blocked Persons.

Americans are generally prohibited from entering into transactions with SDNs. Also in September, OFAC designated the virtual currency exchange SUEX as an SDN—the first such exchange to earn this dubious honor. According to OFAC, SUEX facilitated financial transactions for ransomware actors. American companies are now prohibited from engaging in “transactions, directly or indirectly” with SUEX, and OFAC may impose civil penalties based on strict liability alone. There is no “ransomware exception” to this prohibition.

Payments to ransomware attackers carry a host of other risks, including potential liability under the Foreign Corrupt Practices Act, the International Emergency Economic Powers Act and the Trading with the Enemy Act. Companies must carefully consider the consequences of any payments they might be tempted to make.

What the Private Sector Can Do

There are several concrete things businesses can do to comply with regulatory expectations and mitigate the risk of a ransomware attack.

Enhance cyber defenses: The White House’s open letter urged companies to take a number of steps to combat the threat, and rightly so. The Colonial Pipeline attack exposed weaknesses in the company’s security protocols, disrupting gasoline delivery across a large swath of the eastern U.S. Some reports indicated that the attack was the result of a single compromised password. To avoid becoming the next ransomware headline, companies should continually consult with third-party experts to assess and test their defenses.

Incorporate ransomware risk into compliance programs: Every well-designed compliance program requires a thorough analysis of the risks a company faces—and ransomware should be front and center. In addition to information security being a component of periodic compliance assessments generally, organizations should consider retaining independent technical assistance to enhance and test it.

Closely monitor future federal action: If the past six months are any indication, the U.S. government will continue to bolster its efforts against ransomware attacks. Companies and other organizations should monitor federal guidance and regulatory activity to ensure they’re meeting government expectations and are prepared for future attacks.

In short, the government and private sector can—and should—be allies in the fight against rising ransomware. A coordinated approach will boost cyber-defenses and deter a common enemy.

Abigail L. Peluso is a partner at Riley Safer Holmes & Cancila LLP and previously served as Assistant United States Attorney in the U.S. Attorney’s Office for the Northern District of Illinois, where she prosecuted transnational actors.

Georgia N. Alexakis is a partner at Riley Safer Holmes & Cancila LLP and previously served as Assistant United States Attorney in the U.S. Attorney’s Office for the Northern District of Illinois, where she investigated and prosecuted cybercrimes and helped secure the convictions of individuals who violated laws and regulations prohibiting economic transactions with SDNs.

John K. Theis is a partner at Riley Safer Holmes & Cancila LLP and previously served as Associate White House Counsel and a Department of Justice trial lawyer.

Patricia Brown Holmes is the managing partner of Riley Safer Holmes & Cancila and focuses her practice on high-stakes commercial litigation, crisis management, white collar crime, and legal counseling. Patricia is the first African-American woman to lead and have her name on the door of a major law firm that is not women- or minority-owned.

Related Articles

Announcing the 2022 "Best Law Firms" Rankings

by Best Lawyers

The 2022 “Best Law Firms” publication includes all “Law Firm of the Year” recipients, national and metro Tier 1 ranked firms and editorial from thought leaders in the legal industry.

The 2022 Best Law Firms Awards

Law Firm or Startup: Which Addresses Innovation Best?

by Ronald W. Chapman, Jr. and Tim Fox

In a hypercompetitive environment, each has its advantages and challenges. Here’s a look at how they stack up.

Innovation for Law Firms Challenges

Hybrid Work - A Path for Female Lawyers

by Roberta Liebenberg

Remote work, flex time, some combination of both, all the rest of the pandemic’s new office normal: mere hype, or finally a meaningful option for female lawyers?

Remote Work Becoming Vital for Female Lawyers

Road to Somewhere

by Mark LeHocky

How can attorneys take steps to improve settlement efforts and avoid unpleasant surprises as they map out a dispute resolution? One litigator-turned-general counsel-turned mediator (with some help from a distinguished rock star) points the way forward.

Improved Dispute Resolution Settlement

Navigating the New Normal

by Jody E. Briandi

The pandemic has upended many law firms’ internal culture and their lawyers’ work habits, in many ways for the better. As we approach 2022, how can we consolidate those positive effects to transform the practice of law (and our personal lives) for the better?

Work Habits Affected by the Pandemic

And Justice for All

by Harry M. Reasoner

Equal opportunity for justice before impartial law is a supposed bedrock of American citizenship. All too often, though, that noble ideal is honored more in the breach than the observance. The legal profession, and the country, must simply do better.

Legal Justice for All Americans is Lacking

Bidding Wars: Understanding Federal Bid Protests

by Lori Ann Lange

Federal government contracting can be convoluted. Here’s a primer on filing a bid protest for parties who think they’ve been wronged.

Filing Big Protest with Federal Government

Trending Articles

Announcing the 2023 The Best Lawyers in America Honorees

by Best Lawyers

Only the top 5.3% of all practicing lawyers in the U.S. were selected by their peers for inclusion in the 29th edition of The Best Lawyers in America®.

Gold strings and dots connecting to form US map

Best Lawyers: Ones to Watch in America for 2023

by Best Lawyers

The third edition of Best Lawyers: Ones to Watch in America™ highlights the legal talent of lawyers who have been in practice less than 10 years.

Three arrows made of lines and dots on blue background

Announcing the 2022 Best Lawyers® in the United States

by Best Lawyers

The results include an elite field of top lawyers listed in the 28th Edition of The Best Lawyers in America® and in the 2nd Edition of Best Lawyers: Ones to Watch in America for 2022.

2022 Best Lawyers Listings for United States

Famous Songs Unprotected by Copyright Could Mean Royalties for Some

by Michael B. Fein

A guide to navigating copyright claims on famous songs.

Can I Sing "Happy Birthday" in Public?

Announcing the 2023 The Best Lawyers in Canada Honorees

by Best Lawyers

The Best Lawyers in Canada™ is entering its 17th edition for 2023. We highlight the elite lawyers awarded this year.

Red map of Canada with white lines and dots

Choosing a Title Company: What a Seller Should Expect

by Roy D. Oppenheim

When it comes to choosing a title company, how much power exactly does a seller have?

Choosing the Title Company As Seller

What the Courts Say About Recording in the Classroom

by Christina Henagen Peer and Peter Zawadski

Students and parents are increasingly asking to use audio devices to record what's being said in the classroom. But is it legal? A recent ruling offer gives the answer to a question confusing parents and administrators alike.

Is It Legal for Students to Record Teachers?

Announcing the 2022 Best Lawyers in Canada™

by Best Lawyers

The results include an elite field of top lawyers listed in the 16th Edition of The Best Lawyers in Canada™ and 1st Edition of Best Lawyers: Ones to Watch in Canada.

Announcing the 2022 Best Lawyers in Canada™

Caffeine Overload and DUI Tests

by Daniel Taylor

While it might come as a surprise, the over-consumption of caffeine could trigger a false positive on a breathalyzer test.

Can Caffeine Cause You to Fail DUI Test?

The Real Camille: An Interview with Johnny Depp’s Lawyer Camille Vasquez

by Rebecca Blackwell

Camille Vasquez, a young lawyer at Brown Rudnick, sat down with Best Lawyers CEO Phillip Greer to talk about her distinguished career, recently being named partner and what comes next for her.

Camille Vasquez in office

Announcing the 2022 "Best Law Firms" Rankings

by Best Lawyers

The 2022 “Best Law Firms” publication includes all “Law Firm of the Year” recipients, national and metro Tier 1 ranked firms and editorial from thought leaders in the legal industry.

The 2022 Best Law Firms Awards

All Eyes to the Ones on the Rise

by Rebecca Blackwell

Our 2023 honorees recognized in Best Lawyers: Ones to Watch™ in America tell us more about how their path to law formed, what lead them to their practice areas and how they keep steadfast in their passion to serve others.

Person walking between glass walls towards window

Wage and Overtime Laws for Truck Drivers

by Greg Mansell

For truck drivers nationwide, underpayment and overtime violations are just the beginning of a long list of problems. Below we explore the wages you are entitled to but may not be receiving.

Truck Driver Wage and Overtime Laws in the US

Announcing The Best Lawyers in Australia™ 2023

by Best Lawyers

The results include an elite field of top lawyers and firms from Australia.

The Best Lawyers in Australia™ 2023

Announcing the 2022 Best Lawyers™ in Australia

by Best Lawyers

The results include an elite field of top lawyers and firms.

Announcing the 2022 Best Lawyers™ in Australi

Announcing the 2022 Best Lawyers in South Africa™

by Best Lawyers

The results include an elite field of top lawyers and firms.

Announcing 2022 Best Lawyers in South Africa