Recent Ransomware Developments

Recent Ransomware Developments

There have been a number of developments on the ransomware front since I last wrote about the topic.  Moreover, demand for ransomware payments increased during the COVID-19 pandemic because cyber actors targeted online systems that people relied upon to continue conducting business.  In light of these developments, I’m sharing this update.

As a reminder, ransomware is a form of malicious software (malware) designed to block access to a computer system or data.  It typically does this by encrypting data or programs on IT systems.  Attackers then seek to extort ransom payments (usually in the form of digital currency) from their victims in exchange for decrypting the information and restoring the victim’s access to their systems or data.

Ransomware Victims

There have been several ransomware attacks in the news lately that were significant and, thus, became known to the public at large.   First, there was the Colonial Pipeline attack, which led to gasoline supply issues on the East Coast.  There was also an attack on JBS, a major meat processor and on Kaseya, a software supplier to multiple large organizations.  By targeting a software supplier such as Kaseya, the cyber criminals had the opportunity to expand their reach to the organizations who were customers of the victim.

Additionally, ransomware criminals recently attacked several insurance brokers/companies that offer cyber insurance policies.  They did this in an effort to obtain, among other things, information on the customer’s insurance coverage and policy limits, which they could then use to target the customer while knowing exactly how much ransom they could afford to pay.

Ransomware Payments

Late last year, the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” whose purpose was to highlight the sanctions risk associated with ransomware payments.  Specifically, the advisory warned that companies that facilitate ransomware payments to cyber actors on behalf of victims (e.g., financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response) not only encouraged future ransomware payment demands but also risked violating OFAC regulations.  The violation is based upon the fact that the OFAC has designated certain malicious cyber actors under its sanctions programs (cyber-related and otherwise).  The actors designated include not only perpetrators of ransomware attacks but also those who facilitate ransomware transactions.

From the OFAC’s perspective, facilitating a ransomware payment that is demanded as a result of malicious cyber activities could enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.  Thus, the ransoms paid could fund activities that are adverse to the national security and foreign policy objectives of the United States and/or embolden cyber actors to engage in future attacks.  Considering this, the OFAC warned that companies that engage with ransomware attack victims by facilitating ransom payments could be exposed to liability under OFAC regulations.

The OFAC concluded its advisory by encouraging financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.  This need for a compliance program also applies to companies that engage with victims of ransomware attacks, i.e., those that provide cyber insurance, digital forensics and incident response, and financial services that may involve processing ransomware payments including depository institutions and money services businesses.

Ransomware Resources

In light of these recent developments, the US government has once again recognized that safeguarding operations from cyber threats better protects national and economic security.  They are, therefore, taking concrete steps to address the issue.  To that end, a new director of the Cybersecurity and Infrastructure Security Agency (Jen Easterly) has been appointed.  There is also a very helpful new website that contains reports of ransomware attacks and a plethora of resources that individuals and companies can use to find out about attacks and the steps that can and should be taken to protect themselves.   

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.