On June 2, 2021, Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, published a rare open letter to the corporate executives and business leaders of private organizations about the significant threat of ransomware attacks. The letter comes in the wake of a recent string of ransomware attacks against various sectors of the U.S. economy, including, for example, the energy, banking, healthcare, and food processing sectors. The letter comes on the heels of President Biden’s Executive Order on Improving the Nation’s Cybersecurity which requires the federal government to adopt several new cybersecurity practices designed to protect the government from cybersecurity attacks. The federal government is also increasing enforcement efforts against bad actors using ransomware to disrupt the U.S. economy and announced on June 7, 2019, that that the Department of Justice seized millions of dollars in cryptocurrency arising from the ransomware incident involving the Colonial Pipeline incident.
The letter describes that the federal government has stepped up efforts to stop ransomware attacks, including increasing efforts to disrupt ransomware networks, working with international partners to hold foreign countries that harbor ransomware actors accountable, and developing more cohesive and consistent policies towards the payment of ransomware.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has also issued advisory guidance on the sanctions risks associated with ransomware payments for malicious cyber-enabled activities. Specifically, under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (persons) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria) among other transactions. Businesses considering paying the ransom to get back their data or to prevent public disclosure of their data should review this OFAC advisory guidance before making any ransomware payment because OFAC may impose civil penalties for sanctions based on strict liability – meaning your organization could be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under the OFAC sanctions laws (for publicly traded companies such liability could also spawn investor suits).
The letter also warns the private sector that it bears the responsibility to protect themselves against the threat of ransomware, pointing out that any company may become the target of a ransomware attack, regardless of the company’s size or location. The letter urges all companies to take the threat of ransomware seriously and adopt cybersecurity practices that match this threat. Accordingly, business leaders are encouraged to review the business’s overall cybersecurity posture, and business continuity plans to ensure that they can quickly restore operations in the event of a ransomware attack.
Further, businesses are urged to immediately take the following steps to focus efforts and rapidly progress towards reducing the risk of a ransomware attack:
Businesses should note that the above OFAC guidance is likely to be considered the standard best practices applied in any civil action following a ransomware attack to determine if the company met its general standard of care.
The Cybersecurity & Infrastructure Security Agency (CISA) and other U.S. government organizations have several resources to assist companies in protecting against ransomware attacks, including:
Although protecting against ransomware is an essential part of a business’s cybersecurity strategy, businesses should realize that ransomware is one of the types of cybersecurity threats that businesses face. For example, the traditional ransomware attack that holds a business’s information hostage is now often combined with exfiltration of the information such that even if a business can quickly recover encrypted systems from backups, it risks the disclosure of sensitive business and personal information. Businesses are therefore encouraged to adopt a comprehensive cybersecurity strategy that is appropriate to the risks it faces. For more information about developing such a comprehensive cybersecurity strategy, please contact one of the authors listed below or another core member of Foley’s Cybersecurity Practice.