White House Issues Open Letter to Private Businesses Regarding the Threat of Ransomware

On June 2, 2021, Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, published a rare open letter to the corporate executives and business leaders of private organizations about the significant threat of ransomware attacks. The letter comes in the wake of a recent string of ransomware attacks against various sectors of the U.S. economy, including, for example, the energy, banking, healthcare, and food processing sectors. The letter comes on the heels of President Biden’s Executive Order on Improving the Nation’s Cybersecurity which requires the federal government to adopt several new cybersecurity practices designed to protect the government from cybersecurity attacks. The federal government is also increasing enforcement efforts against bad actors using ransomware to disrupt the U.S. economy and announced on June 7, 2019, that that the Department of Justice seized millions of dollars in cryptocurrency arising from the ransomware incident involving the Colonial Pipeline incident.

The letter describes that the federal government has stepped up efforts to stop ransomware attacks, including increasing efforts to disrupt ransomware networks, working with international partners to hold foreign countries that harbor ransomware actors accountable, and developing more cohesive and consistent policies towards the payment of ransomware.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has also issued advisory guidance on the sanctions risks associated with ransomware payments for malicious cyber-enabled activities. Specifically, under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (persons) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria) among other transactions. Businesses considering paying the ransom to get back their data or to prevent public disclosure of their data should review this OFAC advisory guidance before making any ransomware payment because OFAC may impose civil penalties for sanctions based on strict liability – meaning your organization could be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under the OFAC sanctions laws (for publicly traded companies such liability could also spawn investor suits).

The letter also warns the private sector that it bears the responsibility to protect themselves against the threat of ransomware, pointing out that any company may become the target of a ransomware attack, regardless of the company’s size or location. The letter urges all companies to take the threat of ransomware seriously and adopt cybersecurity practices that match this threat. Accordingly, business leaders are encouraged to review the business’s overall cybersecurity posture, and business continuity plans to ensure that they can quickly restore operations in the event of a ransomware attack.

Further, businesses are urged to immediately take the following steps to focus efforts and rapidly progress towards reducing the risk of a ransomware attack:

Implementing the best practices outlined in President Biden’s Executive Order on Improving the Nation’s Cybersecurity: These practices include: (a) the use of multi-factor authentication instead of relying on passwords alone; (b) the use of network detection and response technologies to actively detect and hunt for malicious activity on a network and stop it before it can damage the network or systems; (c) the use of encryption technology to minimize the damage if the ransomware not only holds data hostage through encryption but also exfiltrates the information to attempt to further extract a ransom by threatening to disclose sensitive information even when the data was restored from backups; and (d) use an appropriately qualified system security team that monitors available information for new threats and that appropriately patches and maintains the business’s IT systems to protect against these threats.
Backup system images, configurations, and data to offline storage and regularly test these backups: Ransomware will regularly try to encrypt and delete backups accessible from the business network. Accordingly, backups should be stored offline where they cannot be reached in a ransomware attack that encrypts the business’s IT systems. Furthermore, businesses are advised to regularly test whether the backups are sufficient to restore the system in the event of an attack.
Promptly patch and update systems: As new vulnerabilities are discovered, patching is a critical component in protecting against ransomware attacks. Organizations should consider a patch management system and use a risk-based assessment strategy to determine when to patch operating systems, applications, and firmware.
Test incident response plans: Businesses should have an incident response plan and test it regularly through tabletop simulations to uncover and address any gaps in the plan. When reviewing the incident response plan, the business should ask itself several core questions, including (a) what systems are critical to continuing business operations; (b) how long can the business continue operations without specific systems; and (c) would the business be forced to discontinue manufacturing operations if specific business systems were affected by a ransomware attack (such as billing). The business should then adjust the incident response plan as appropriate.
Check the security team’s work: Companies should test their systems’ security through penetration testing and other vulnerability testing.
Network segmentation: Ransomware attacks can steal data and disrupt operations. For businesses that engage in manufacturing and production operations, ransomware attacks can significantly impact if ransomware can get to the systems that control manufacturing and production. The letter recommends that the computer networks that control manufacturing and production operations be separated from the networks used for corporate business functions and that businesses identify the links between these networks and carefully filter and limit internet access between these networks. This will help ensure that the manufacturing and production network can be isolated and that manufacturing and production operations continue if the corporate network is isolated. Businesses should regularly test contingency plans such as manual controls to ensure that functions that are critical to safety can be maintained during a ransomware attack.

Businesses should note that the above OFAC guidance is likely to be considered the standard best practices applied in any civil action following a ransomware attack to determine if the company met its general standard of care.

Additional Cybersecurity Resources for Businesses

The Cybersecurity & Infrastructure Security Agency (CISA) and other U.S. government organizations have several resources to assist companies in protecting against ransomware attacks, including:

In addition, the Department of Health and Human Services has published some additional ransomware resources for organizations in the healthcare sector.

Although protecting against ransomware is an essential part of a business’s cybersecurity strategy, businesses should realize that ransomware is one of the types of cybersecurity threats that businesses face. For example, the traditional ransomware attack that holds a business’s information hostage is now often combined with exfiltration of the information such that even if a business can quickly recover encrypted systems from backups, it risks the disclosure of sensitive business and personal information. Businesses are therefore encouraged to adopt a comprehensive cybersecurity strategy that is appropriate to the risks it faces. For more information about developing such a comprehensive cybersecurity strategy, please contact one of the authors listed below or another core member of Foley’s Cybersecurity Practice.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.