More sophisticated ransomware attacks appear to be on the increase. With the disruptions resulting from COVID-19, government regulators and law enforcement are warning businesses to be on the lookout for ransomware attacks. Specifically, those businesses that operate in highly regulated industries – health care, finance and government contractors – need to be cautious. Additionally, any business that runs older legacy systems that may no longer be regularly patched or supported is also vulnerable. A patient in a German hospital recently died because of delayed treatment after hackers launched a ransomware attack against the hospital’s computers.
Ransomware attackers are becoming more targeted with their victims and know that businesses stand to lose much, both in terms of downtime and potential fines and penalties, resulting from ransomware attacks. As a result, many organizations feel they have no choice but to pay the ransom. The FBI and the Department of Health and Human Services, however, recommend against paying ransoms. Payment may not necessarily guarantee that attackers will decrypt or return files and there is concern that ransom payments will only embolden future ransomware attackers. As a practical matter, however, many businesses must make the difficult choice of paying the ransom or experience prolonged business or data loss.
The Department of Treasury’s Office of Foreign Assets Control (OFAC) recently released an advisory, warning companies that payments made to ransomware attackers may constitute violations of U.S. sanctions. The Advisory paints with a broad brush putting on notice “[c]ompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.” In recent years, the OFAC has used its cyber-related sanctions program to designate numerous malicious actors as targets of U.S. enforcement. In addition to these groups specifically, however, if a ransomware payment has the effect of transferring funds to other sanctioned entities, governments or areas, the transfer may constitute a violation of U.S. laws.
U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on the OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea and Syria). The OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if they did not know or have reason to know it was engaging in a transaction with someone who is prohibited under sanctions laws and regulations administered by the OFAC. Monetary penalties for violation of the OFAC sanctions regulations can be up to $20 million. The Advisory concludes with information for contacting relevant U.S. government agencies, including the OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.
While the intent of the OFAC Advisory is clear – to limit the flow of funds to sanctioned persons and therefore disincentivize them from engaging in further attacks – the means for implementing the policies is less clear. Often, definitive identification of the attacker is not possible in a ransomware situation. If the attacker cannot be verified, it will be extremely difficult for companies to evaluate their risk of violating sanctions regulations. Warner will continue to monitor enforcement actions and see what kind of posture the OFAC takes on these issues.
In a Joint Cybersecurity Advisory, the FBI and the Department of Health and Human Services have reiterated best practices for addressing threats posed by malicious actors. The practices will be common for any security experts who have had to account for potential ransomware attacks in the past, including scanning for open or listening ports, regularly backing up data and focusing on awareness and training. The individual user continues to be the weakest point of vulnerability for any organization. Most ransomware attacks come cloaked as phishing scams, waiting for an unwary user to click on a malicious link. Cultivating a culture of compliance with security policies provides the most effective safeguard against ransomware attacks.
Further complicating matters is the move by many organizations to cloud storage offerings. When moving data to the cloud, an organization still retains liability for that data in the eyes of the law. If a cloud provider falls victim to a ransomware attack, an organization has even less control over the response and may not even be aware that an attack has occurred until it is resolved. This does nothing, however, to diminish regulatory or statutory liability related to that data’s security or availability. An organization must ensure that it has strong contractual protections to address these scenarios.
If you have any questions concerning ransomware attacks or are interested in proactively protecting your organization from a potential ransomware attack or data breach, please contact Adam Bruski, Norbert Kugele, Nathan Steed or a member of Warner’s Cybersecurity and Privacy Practice Group.