The threat of ransomware has skyrocketed over the past year and a half. Recent high-profile attacks — including the attacks on Colonial Pipeline and JBS Foods — underscore the risk to all companies posed by this particular form of cyberattack.
The U.S. government has significantly stepped up its response. Within the last several months, the White House and multiple federal agencies issued public guidance aimed at providing companies with the tools necessary to establish an effective front line of defense. Businesses large and small would be well advised to review this guidance and incorporate these recommendations into their compliance and regulatory programs.
A Growing Threat
Like many cyberattacks, ransomware attacks start with a breach of a target’s cyber defenses, often through a phishing email or by overcoming weak passwords. Once inside, cybercriminals use malware to encrypt a target’s data and then demand a ransom payment, typically in cryptocurrency, to unlock the data. The victim must pay the ransom or face the risk of destruction or public disclosure of the data.
The ransom demands can be significant. In June 2021, meat processor JBS Foods revealed that it paid $11 million to cybercriminals following a ransomware attack. Last month, a Russia-linked gang demanded $70 million in Bitcoin in one of the largest ransomware attacks on record. According to the Department of Homeland Security, in 2020 an estimated $350 million in ransom was paid to attackers, triple the amount from 2019. Ransom payments have totaled over $300 million this year to date.
In addition to the direct cost of paying the ransom, companies also face costs associated with the significant disruptions to the normal course of business, lost productivity, intellectual property theft and forensic investigation. Estimates of the total loss resulting from these attacks to the global economy are staggering — and they continue to increase. According to a report by Cybersecurity Ventures, a cyber research firm, global ransomware damages will cost more than $20 billion in 2021, an increase from just $5 billion in 2017. As Homeland Security Secretary Alejandro Mayorkas recently told the U.S. Chamber of Commerce: “The threat is real. The threat is upon us. The risk is to all of us.”
The Government’s Response
On June 2, 2021, the White House issued an open letter to private-sector executives stressing the gravity of the threat of ransomware attacks. The letter also urged companies to take several practical steps to combat that threat.
6 Ways US Companies Can Fight Ransomware
- Implement protections against attacks, including multi-factor authentication, endpoint detection and response, encryption and a skilled and empowered security team.
- Regularly backup data, system images and configurations.
- Update and patch systems promptly.
- Regularly test incident response plans.
- Use a third-party tester to test the security of the systems.
- Segment networks (e.g., maintain separate networks for corporate business functions and manufacturing/operations).
Many of these recommendations will be familiar to cybersecurity and compliance professionals. Nevertheless, the fact that the White House issued the guidance with this level of granularity reflects a concerted governmental effort to get companies to pay attention to the ransomware-associated risks.
The open letter parallels actions from several other federal agencies regarding the threat posed by ransomware:
On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to highlight the “sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” OFAC cautioned that payments to certain designated malicious cyber actors could be considered a sanctions violation. Companies that are considering paying a ransom should consider the sanctions risks associated with facilitating payments to OFAC-designated actors.
Also in October 2020, the Financial Crimes Enforcement Network (FinCEN) issued an advisory regarding the ways in which ransomware payments may implicate the Bank Secrecy Act and corporate anti-money-laundering programs. FinCEN also hosted a virtual conference in November 2020 with financial institutions, technology firms and third-party service providers on ransomware, and later this month, FinCEN will host its second conference on this topic. In announcing the event, FinCEN cited ransomware attacks as a “growing concern for the financial sector” given the “reputational and financial integrity concerns about the role financial institutions might play in the processing of ransom payments.”
On July 10, 2020, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations issued an alert related to the increased sophistication of ransomware attacks on SEC registrants. The alert reflected an ongoing interest by the SEC in how public companies protect against cyber risks. Companies with public reporting requirements should anticipate scrutiny from the SEC regarding both the strength of its cyber programs and the disclosure of material ransomware risks and incidents.
Earlier this year, the Department of Justice created a new Ransomware and Digital Extortion Task Force, which elevated investigations of ransomware to same priority level as terrorism and centralized investigations. The DOJ has also continued to encourage victims of ransomware attacks to notify law enforcement once an attack occurs. After the FBI seized over $2.3 million in cryptocurrency stemming from a ransomware attack, DOJ officials stressed that early cooperation with the target aided the return of the funds.
Last month, the Biden Administration expressed support for federal legislation that would mandate that certain companies report major data breaches, including ransomware attacks. The bipartisan legislation, known as the Cyber Incident Notification Act of 2021, would require federal contractors and critical infrastructure operators to notify the government in the event of a ransomware attack.
Finally, the U.S. government recently launched a website, StopRansomware.gov, as part of its interagency effort to combat the threat of ransomware. The site establishes a central hub of ransomware resources and a consolidated list of guidance from federal agencies.
As these actions make clear, combating ransomware is a top priority of the federal government. Companies should pay close attention to the evolving federal guidance and make a concerted effort to enhance their cyber defenses, update their incident response plans and incorporate efforts to contain ransomware risks into their compliance programs.
Former RSHC associate Brittney Denley assisted in the drafting of this article.