As ransomware attacks continue to proliferate, organizations are facing increasingly complex practical and legal considerations. Ransomware threats can range from simple Ransomware-as-a-Service models to sophisticated attacks with network-wide impacts. In many cases, ransomware attacks involve not only encryption but also data exfiltration with accompanying regulatory and contractual notification obligations. Ransomware attacks are now so pervasive that they were deemed “a direct threat to our economy” by a Treasury Department Press Release. The resulting governmental focus on ransomware will create new and evolving regulatory challenges for organizations experiencing an attack.
Ransomware in 2021
If 2020 initiated a new era of ransomware threat due to pandemic-related shifts to remote work and the associated security risks, 2021 proved that this threat is only likely to increase in 2022, as the toxic mix of host nations accommodating ransomware gangs, the widespread ability of businesses to pay ransomware under insurance policies, the decreasing technical barriers to entry for attackers, and the ready availability of often untraceable cryptocurrency all remain strong. High-profile ransomware attacks in 2021 included the Colonial Pipeline attack, which interrupted gas supplies along the East Coast of the United States and the attack on JBS Food, one of the world’s largest meat producers, which caused panic buying by some consumers. As with other cybersecurity threats, supply chains were also exploited, with the REvil ransomware gang leveraging unauthorized access to Kaseya’s IT administrator software infrastructure to push out a fake software update containing ransomware. In that instance, the FBI was able to provide some assistance by obtaining encryption keys, but victims of future attacks may not be so fortunate.
Attacks were also widespread. According to analysis by the Financial Crimes Enforcement Network (FinCEN), the total value of suspicious activity related to potential ransomware payments reported in just the first six months of 2021 was $590 million, greater than the value for the entire 2020 calendar year ($416 million). Those figures relate only to reported activity—the actual figures are likely to be significantly higher. Such figures also reflect only costs associated with payments. An assessment of the full impact on organizations experiencing a ransomware attack must also take into account costs associated with remediation (often requiring significant rebuilds—sometimes network-wide), investigation, business interruption, lost customers, legally required notifications to individuals or regulators, associated litigation or government investigations, and potentially increased insurance premiums, among other things.
Given the ubiquity of ransomware and the significate risks associated with an attack, organizations are likely to need to make key decisions, either in preparing for or after experiencing a ransomware event. Some of these include:
To Pay or Not To Pay
By its very nature, one critical decision organizations face is whether or not to pay a ransom. When making that decision, organizations must address multiple considerations. First the practical: while the U.S. government discourages payment, it is not per se illegal in the U.S. to pay a ransom, and many organizations have no choice. If an organization does not have adequate backups to allow it to rebuild, it may need to receive the decryption key to restore operations. But payment does not ensure a return to full functionality. According to analysis by Microsoft, on average, victims who paid the ransom only recovered 65% of their data with 29% of victims recovering only up to half the compromised data. Decryption can also be labor and time intensive; organizations that pay the ransom can still face days of operational downtime after receiving the key. Nor does decryption necessarily mitigate all of the damage caused by cybercriminals during an attack. Cybercriminals are known to delete data, change settings, and cause other damage to hide their tracks, to create additional operational burdens, or simply as part of the cost of doing business. Recovery of the data does not negate any such tampering performed on the victim’s computer systems.
Organizations considering payment must also consider regulatory requirements. Although the ransom payments are not strictly prohibited in most cases, organizations must still review a host of U.S. and international regulations governing transactions with restricted entities that may prohibit such payments, including the U.S. sanctions regime. The U.S. government’s efforts to enforce such requirements are increasing. In September 21, 2021, for example, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which imposes strict liability on both ransomware victims and third-party entities that assist the victims negotiate with cybercriminals who are under economic sanctions. The Updated Advisory also prohibits transactions with or involving SUEX OTC, S.R.O. (SUEX), a virtual currency exchange.
Notification to Individuals, Regulators, and Customers
In many cases, ransomware attacks now also involve data exfiltration or, at a minimum, potential unauthorized access to personal information or other confidential data. Organizations must, therefore, asses their obligations to issue data breach notifications, even if they pay the ransom. Notification decisions are fact intensive, involving an analysis of the data potentially impacted, whether there are indications that the data was actually taken, and the risk of harm to individuals as a result of the attack. Ransomware actors often threaten to expose their targets’ data if they do not pay ransom, but payment alone does not necessarily eliminate a victim’s obligations to provide notification under applicable laws.
Organizations also should not ignore their notification obligations under applicable contracts, which may be triggered by access to confidential data other than personal information. Contracting parties are increasingly sensitive to risks associated with ransomware and data theft, often engaging their own vendors to scan the dark web for indications that their data was been stolen. Such organizations may take a dim view of a vendor or other contracting party that does not adequately report potential access to confidential data.
Individuals’ whose information is exposed may also raise claims that duties to provide notice could arise from the existence of a fiduciary relationship, from a tort “duty to warn,” or from a contractual duty to attempt to mitigate damages. While these obligations are less clearly established in many cases, organizations wishing to avoid such claims and the associated litigation costs, should carefully assess the application of those duties.
Assessing Impacted Data
Ransomware threat actors seeking to extort payment will often provide information such as a file listing or the volume of the data they claim to have stolen. As should not be surprising, though, such information is not always accurate. Forensic evidence may indicate that more or less data was impacted. Again, then, even where an organization engages with a threat actor, it is important for the organization to conduct its own comprehensive assessment of a threat actor’s activities to gain a full sense of the impact of the act on the organization, its legal obligations, and other potential risks.
Ransomware in 2022
The ransomware threat is far from over. The number of ransomware attacks will continue to grow and threat actors will continue to evolve unless offensive governmental cyber operations or international diplomacy advance significantly.
Organizations should, of course, continue to enhance their cybersecurity defenses and adopt best practices such as: (1) training and education of employees; (2) maintaining good cyber hygiene through encryption and multi-factor authentication; (3) backing up data frequently; and (4) maintaining business continuity and disaster recovery plans, including performing tabletop exercises.
Organizations should also continue to be mindful of their legal obligations in the event they experience an attack and take steps to mitigate their risks. Some issues to consider in advance are the involvement of boards of directors and senior management, protocols around payment and incident response, and ensuring that appropriate vendors are in place to assess the extent of any breach.