Cybersecurity, Policies and Training

The Ransomware Plague Continues, but the Response Model Is Changing

Ransomware is a term that has entered popular speech as it has echoed across the front pages of newspapers and the internet. While most people might not understand exactly how ransomware works, or how it might be launched by a “Zero Day” exploit, they understand it locks the holder out of computers that store highly sensitive information ranging from a company’s intellectual property to the private personal information of consumers, medical patients, and others like them. Individuals fear the disclosure of that information and potential identity theft. Government fears the national security impact on our critical infrastructure and electoral politics when state-sponsored or protected actors block access to the data that runs modern society.

Both consumers and government agents are all too aware, for example, of the recent Colonial Pipeline ransomware incident, where a gang of cyber thieves protected by the government of Russia was able to shut down East Coast gasoline deliveries for a period of days. Besides the inconvenience, the incident highlights the potential disruption of our transportation, health care, and communication systems if a hostile nation were to launch a successful full-scale cyberattack against the U.S.

Both the public and private sectors have responded. On Sept. 30, 2020, the Cybersecurity & Infrastructure Security Agency (CISA), acting in tandem with the Multi-State Information Sharing & Analysis Center (MSISAC), released a joint Ransomware Guide. The Guide outlined the best practices to assist in preventing and protecting against a ransomware attack and, assuming that an attack had occurred, minimizing its effect and fostering recovery. The Stop Ransomware campaign describes what ransomware is and how to prevent and respond to it with a ubiquitous “tool kit.

The Stop Ransomware campaign is only one example of guideline initiatives presented by enforcement agencies as of recent. The National Institute of Standards and Technology (NIST); the Department of Health & Human Services Office of Civil Rights, which governs the privacy of Protected Health Information; and the Federal Bureau of Investigation, a consortium of law enforcement and national security agencies, the Executive Office of the President, the CIA, NSA, FBI, and Departments of Homeland Security and Justice, and other agencies found it necessary to issue a lengthy interagency technical guidance document entitled “How to Protect Your Networks from Ransomware.”

The instructions given by these, and many other, government and private releases are essentially the same: starting with conducting a comprehensive vulnerability analysis and then acting on the results, they include ensuring that all applications, particularly antivirus and anti-malware, are up to date and regularly patched; controlling access to accounts and systems and closely monitoring privilege and usage; employing multi-factor authentication for all service, especially email apps; and encrypting files, especially backup files, end to end. And, not only conducting verifiable training of employees on typical risks—e.g., phishing emails—but performing periodic table-top-testing or other similar exercises. In the event of a successful attack, have appropriate response plans for resilience and restoration of files and capabilities.

All of this is good and consistent advice. But is it working? For some companies and agencies, the answer is yes. For others, not so much. It is estimated that last year, as much as 68% of American companies suffered ransomware attacks, and the number of successful ones continues to rise. Much of the overall increase and negative results is attributable to the COVID-19 pandemic, as cyber actors take advantage of security gaps created by remote work and the breakdown of routines.

Thus, notwithstanding the plethora of guidance already available on the Web, regulatory and enforcement agencies are stepping up the action. On Aug. 25, 2021, CISA amplified its earlier guidance and coordinated with federal and state agencies, similar to the Commerce Department’s NIST’s past actions. CISA’s update included a fact sheet entitled Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches. The activities discussed are generally indistinguishable from the ransomware prevention and response tips that previously had been recommended. However, taken with the action of other agencies, they are intended to heighten awareness and to change what has been the response model that many businesses and agencies have been following.

For a number of years, even as the number of incidents continued to increase, ransomware was viewed as a nuisance, albeit an expensive one. During this period, “ransomware” lived up to its name. Black hat hackers intruded into systems by exploiting seemingly genuine email requests or software vulnerabilities and, having actuated the malware they had installed, encrypted an organization’s files, which could not be unlocked until the victim had paid the requested ransom and been given a decryption key. Often consulting with the assistance of their insurers, victims conducted a cost-benefit analysis, balancing the amount of the ransom against the cost of recovery if the victim restored or rebuilt its systems on its own. And often, especially for companies and agencies that did not have secure backups, payment was a matter of survival. Thus, payment, generally through cryptocurrency transactions through a protective block chain, became the rule rather than the exception, and government agencies like the FBI typically concurred. Several things now have changed this.

Both insurers and enforcers have come to realize that, as demands for ransomware payments have increased, the companies that have been paying ransom are encouraging continued growth of what has become more than a cottage industry, with ransomware kits being sold on the Dark Web and some criminal groups selling ransomware as a service. And those criminal groups have changed the rules of the game. Not content with the traditional ransom scenario, ransom actors are not just locking owners out of their data until ransoms are paid, but they are also exfiltrating data, much of which is ending up under the control of foreign adversary nation states. Going even further, some criminals are taking a third bite of the apple, selling exfiltrated data on the Dark Web, or using it to penetrate the systems of the initial victim’s customers, or to mount Distributed Denials of Service against victims.

Recognizing that adversary nation-state activity is a material threat to U.S. critical infrastructure, and facing likely bipartisan legislative action directed at ransomware reporting and response in the wake of the continuing rise in the number of ransomware penetrations, federal law enforcement agencies are now not only instructing ransomware victims not to pay up, but they are actively involving themselves, as was the case with the Colonial Pipeline payment, in penetrating the block chain to recover payments.

Conjunctively, those that facilitate ransomware payments to cyber actors—including financial institutions, cyber insurers, companies involved in digital forensics and incident response, and even law firms—are being seen not only to encourage future ransomware payment demands but also possible violation of foreign trade restrictions. 

A little more than a year after publishing an advisory as to potential sanctions that might result from facilitating ransomware payments, and best practices that might prevent or deter ransomware or might allow leniency regarding sanctions, the Department of the Treasury’s Office of Foreign Asset Control (OFAC), on Sept. 21, 2021, issued an update that strengthens the warning that OFAC previously had given.

The update adds several cryptocurrency facilities to its Specially Designated Nationals and Blocked Persons List and provides some additional guidance concerning best practices for protecting against or responding to ransomware attacks. However, the essence of the publications is its stress on the benefits of immediate disclosure and cooperation with law enforcement agencies to avoid or mitigate against the strict-liability penalties that the agency could impose if payments were made to a sanctioned entity.

In addition, the OFAC published a best practices guide for digital asset companies designed to avoid sanctions by countering the use of cryptocurrencies in unlawful transactions on Oct. 15, 2021.

The net of all of this is that what once was seen as largely transactional, notwithstanding the duress felt by some companies whose survival is threatened by losing access to their data, is now seen as a national security issue and one that calls for criminal enforcement instead of acquiescence. Legislation and enforcement agency actions against entities suffering data breaches will continue to put pressure on companies to strengthen their compliance programs and resilience, and resist yielding to cyber criminals.

Stuart Gerson is a member of Epstein Becker Green in the Litigation and Health Care & Life Sciences practices who focuses on cybersecurity and fraud litigation. Stuart was previously appointed Acting Attorney General of the United States and served as an advisor to several presidents. He has carried his talents to currently represent health care, life sciences, and financial services clients in high-stakes civil and criminal matters nationwide. Stuart is a regular speaker and commentator to the media on a range of topics that include health care, employment and cybersecurity policies.