Ransomware is a Serious and Growing Problem

In recent years, Ransomware has evolved from merely encrypting files/disabling networks in solicitation of ransom, to sophisticated attacks that often involve actual data access, theft and sometimes, the threat of publication. These sophisticated malware attacks frequently destroy backups and provide criminals even more leverage over their victims, coercing them to pay ransoms.  Ransomware does not just target businesses – it is often used to attack hospitals, research institutions, and other public services that are especially critical during this global pandemic.

It is increasingly common for Ransomware attacks to be associated with large sophisticated cyber-criminal organizations, with a central entity providing the tools, training, and ability to collect ransoms and sending its “associates” out to cause harm. As long as victims continue to pay ransoms, Ransomware is able to expand.  Ransomware is also being adapted for new, criminal purposes.  Increasingly, hackers associated with countries like Iran and North Korea are using Ransomware to generate an influx of cash into their economic streams and bypass economic sanctions. Faced with an urgent need to stop the spread of Ransomware, law enforcement is now moving past its old strategy of strongly discouraging victims from paying ransoms. Regulatory agencies – such as OFAC and the SEC – are implementing regulations to prevent victims from paying ransom to buy their way out of a Ransomware attack.  These regulations arm law enforcement with a new enforcement mechanism – allowing them to punish companies who choose to pay ransom in the face of a Ransomware attack. Accordingly, they signal a new area of regulatory enforcement that will likely become the government’s most powerful tool to curb the spread of Ransomware.

Regulatory Changes to Combat Ransomware

In the absence of evidence of data access or exfiltration, a Ransomware incident may not be considered a breach, and therefore, may fall outside any reporting requirements for cyber-incidents.  Accordingly, in those circumstances, an organization could pay the ransom, potentially allowing it to restore functionality and avoid the reputational harm that would follow publication of a successful attack. But keeping these attacks in the dark creates a ripple effect in cybersecurity through which the criminal actors simply continue to perpetrate Ransomware attacks.

In October, OFAC issued an Advisory making clear that any payment made to a sanctioned entity – even where the payment is made under the duress of a Ransomware attack – would be a violation of federal sanctions regulations. Significantly, OFAC sanctions apply with strict liability, so the intent of the victim is no defense, nor is the victim’s lack of knowledge that the payment is going to a sanctioned entity. In fact, the Advisory dispels any hope that OFAC might consider a victim’s lack of knowledge and intent as a mitigating factor – as it occasionally does in other contexts. The Advisory makes crystal clear that OFAC intends to enforce these regulations aggressively, even where a victim did not know it was paying a sanctioned party:  “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”  This raises a serious concern: in the context of Ransomware payments, where a criminal actor conceals its true identity, it could be difficult to determine exactly who will receive a ransom payment, and whether the party demanding payment is a sanctioned entity.  Ransomware attackers also force victims to make ransom payments through non-bank methods, often specific cryptocurrencies like Monero, so one could not even rely on wire information or other ways to identify the recipient of a payment.  Under these circumstances, it is nearly impossible for a victim to be completely sure that a ransom payment is not directed to a sanctioned entity.

An evolving Ransomware threat, coupled with OFAC’s Advisory, will also likely increase the number of events that need to be disclosed under the SEC’s latest cybersecurity guidance. The guidance describes disclosure requirements as they relate to Ransomware and other cyber-attacks. According to the guidance, companies are required to disclose material information in periodic reports, subject to Securities Act and Exchange Act obligations, and in certain instances, in current reports.  Disclosure requirements are tied to materiality, which requires a company to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The SEC will consider information to be material if there is a “substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.” The regulatory risks of making any ransom payment, as well as the broader criminal goals of Ransomware attacks today, will likely mean that more attacks will need to be reported as material events.

Takeaways

OFAC’s new Advisory on Ransomware raises important questions about OFAC’s enforcement priorities as well as its compliance expectations. For example, the Advisory raises the question of whether one could ever conduct a transaction with a party that hasn’t fully identified itself, and at the very least, suggests the need for heightened due diligence in these circumstances should an organization still choose to pay the ransom despite the legal risk. The Advisory also suggests that OFAC may take a more limited view of mitigating circumstances – such as lack of knowledge and duress — into account for sanctions violations in other contexts beyond Ransomware. One open issue is determining what kind of weight OFAC will give, if any, to a company’s reliance on advice from an entirely different government agency – such as the FBI – about whether a payment was sanctions compliant.

While it may not be illegal per se to pay a ransom to a criminal that is not associated with a sanctioned entity, it is often impossible to determine who the criminal actors are behind the attack.  Any entity considering paying a ransom, and the ecosystem that might support such a payment, should consider this risk as they evaluate the decision of whether or not to pay a ransom.

Firms should consider the impact of the OFAC requirements (and other regulations that will inevitably emerge to address Ransomware concerns) in their contracting with third parties, to ensure that their partners understand what will be expected of them in the event of a Ransomware incident. The goal of law enforcement appears to be that the combination of improved reporting plus disincentives for paying ransoms will disable, and eventually prevent, future threats of Ransomware.

Photo of Seetha Ramachandran Seetha Ramachandran

Seetha Ramachandran is a partner in the Litigation Department.

She is a leading expert in anti-money laundering (AML), Bank Secrecy Act, economic sanctions and asset forfeiture matters. She represents banks, broker dealers, hedge funds, private equity funds, online payment companies, and individual executives…

Seetha Ramachandran is a partner in the Litigation Department.

She is a leading expert in anti-money laundering (AML), Bank Secrecy Act, economic sanctions and asset forfeiture matters. She represents banks, broker dealers, hedge funds, private equity funds, online payment companies, and individual executives and officers, in high stakes and sensitive matters. Her practice focuses on white collar and regulatory enforcement defense, internal investigations, and compliance counseling. In addition to her subject matter expertise, Seetha is an experienced trial and appellate lawyer, having conducted 10 criminal jury trials, argued 10 appeals before the U.S. Court of Appeals for the Second Circuit, and handled ancillary civil proceedings in forfeiture cases.

Photo of Nolan Goldberg Nolan Goldberg

Nolan M. Goldberg is a senior counsel in the Litigation Department and a member of the Patent Law and Privacy Groups.  His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range of types of disputes, including cybersecurity…

Nolan M. Goldberg is a senior counsel in the Litigation Department and a member of the Patent Law and Privacy Groups.  His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range of types of disputes, including cybersecurity, intellectual property, and commercial.  Nolan’s understanding of technology allows him to develop defenses and strategies that might otherwise be overlooked or less effective and enhances the “story telling” that is critical to bringing a dispute to a successful conclusion.

Nolan is a registered patent attorney before the U.S. Patent & Trademark Office; and an International Association of Privacy Professionals (IAPP) Certified Information Privacy Professional, United States (US CIPP) and Certified Information Privacy Technologist (US CIPT).

Cybersecurity

Nolan’s electrical engineering background, coupled with a litigation and risk management-centric focus, allows him to assist companies in all phases of incident response. Nolan often acts as a bridge between the technical and legal response teams (both inside and outside forensic consultants). Nolan uses this deep familiarity with the company and its systems to defend the company in litigations, arbitrations and regulatory investigations, including before the Federal Communications Commission (FCC); Federal Trade Commission (FTC) and before various State’s Attorneys General, including Multi-State investigations.

Nolan has worked on incidents that range from simple phishing attacks on e-mail accounts by cyber-criminals to intrusions by (formerly) trusted inside employees to complex technical breaches of hosted systems by state-sponsored advanced persistent threats (APTs). These incidents have involved both client systems, and systems of a vendor of a client that hosted its data.

It is often the case (both in response to an incident and for other reasons) that a company will want to undertake an assessment of its security posture, but has concerns about the discoverability of any such analysis.  Accordingly, Nolan also frequently assists companies’ scope and conduct privileged security assessments, including “dual purpose” assessments where privileged analysis are also used for ordinary-course purposes.

Commercial Disputes

Nolan also assists companies with commercial disputes, particularly in cases where there is a technology component, including disputes arising from hosted software agreements; outsourcing and managed services agreements; software and technology development agreements and the dissolution of joint ventures.  When these disputes cannot be amicably resolved, Nolan has litigated them in State and Federal Court and in arbitrations, including international arbitrations.

Intellectual Property

Nolan’s work has included numerous patent and trade secret litigations and negotiations, primarily in cases involving computer and network-related technologies. In particular, the litigations have involved at least the following technologies: hosted software; telecommunications, computer networking; network and computer-related security hardware and software; microprocessors, voice-over Internet protocol (“VoIP”); bar code scanners  financial business methods and software, including securities settlement, fail management and trade execution and reporting software; data compression; handheld computers; pharmaceuticals; cardiac electro-stimulatory devices and prosthetics.

Nolan also has experience prosecuting patent applications before the U.S. Patent and Trademark Office in encryption, CMOS, HDTV, virtual private networks (“VPN”), e-commerce, XML/XSL, financial instruments, semiconductor electronics, medical device technology, inventory control and analysis, cellular communications, Check 21 and business methods. Nolan also has conducted numerous freedom-to-operate searches, written opinions, and counseled clients in the areas of bar code scanners, imaging, book publishing, computer networking, business methods, Power Over Ethernet (“PoE”), and digital content distribution.

He has assisted in evaluating patents for inclusion in patent pools involving large consumer electronics and entertainment companies concerning CD and DVD technology.

Computer Forensics and Electronic Discovery

Nolan is often called upon to develop e-discovery strategies to be used in all types of litigations, with a particular focus on selecting appropriate tools, developing proportionate discovery plans, cross border electronic discovery, managing the overall burden and cost of the electronic discovery process, and obtaining often overlooked electronic evidence, including computer forensics. He also assists clients to develop and implement information management programs to reduce expense and risk, meet compliance obligations, and tame e-discovery burdens.

Thought Leadership

Nolan has authored numerous articles and given numerous presentations on emerging issues and trends in both technology and law, and has often been called upon to comment on various media outlets including Business Week, IPlaw360, IT Business Edge, CIO.com, Forbes, and The National Law Journal.

Prior to practicing law, Nolan was a computer specialist at Underwriters Laboratories (UL).

Photo of Hena M. Vora Hena M. Vora

Hena M. Vora is an associate in the Litigation Department and a member of the Asset Management Litigation practice and Products Liability group. Her practice encompasses a range of complex civil and commercial litigation matters, including securities litigation, partnership disputes, and consumer products.…

Hena M. Vora is an associate in the Litigation Department and a member of the Asset Management Litigation practice and Products Liability group. Her practice encompasses a range of complex civil and commercial litigation matters, including securities litigation, partnership disputes, and consumer products.

Hena has experience with various stages of litigation, including pitching clients, coordinating discovery, drafting dispositive motions and trial memoranda, and preparing witnesses for depositions and trial. She also has experience conducting highly sensitive and confidential internal investigations.

Hena maintains an active pro bono practice and has been awarded for creating a partnership between Proskauer’s Boston office and Minds Matter Boston, through which she helps high school students from low-income backgrounds achieve college readiness and success.

Hena earned her J.D. from Emory University School of Law, where she received the Pro Bono Publico honor and a Transactional Law Certificate. In addition, she was a national competitor on the Moot Court Society and served as president of Emory’s South Asian Law Students Association. While at Emory, Hena served as judicial intern for Judge Denny Chin at the U.S. Court of Appeals for the Second Circuit.