When a threat actor strikes: Legal considerations and challenges in a ransomware attack
Imagine, if you will, that you are chief counsel of a large, multinational corporation. It’s early Monday morning, and as you pour your coffee and start your workday, you reach for your phone to quickly check your email. You notice that your inbox hasn’t updated since the prior evening. In standard post-pandemic workplace fashion, you attempt to log in to your computer using VPN, but you are unable to connect; you send a text message to a colleague and discover that they are experiencing similar issues. You try to locate your Chief Information Officer’s (CIO) phone number in your contacts list, but your contacts are not populating appropriately. Later that morning, you receive a frantic phone call from your CIO who explains that the company’s IT infrastructure is locked with ransomware and that a threat actor left a ransom note demanding payment within three days. The note also stated that if no payment is received, your company’s data will be published on the internet, publicly accessible to all. The scenario described above is known as a ransomware attack and has unfortunately been all too common as of late.
A ransomware attack is perpetuated by threat actors who place malicious software (malware) on computer systems, networks and/or servers. The malware encrypts files and enables the threat actor to display a message demanding a fee to be paid in order for systems, networks and/or servers to return to normal operation. Ransomware attacks are targeting every industry globally, including highly regulated industries such as government and healthcare. Since the onset of the coronavirus 2019 (COVID-19) pandemic, the number of ransomware attacks has drastically increased. Security Magazine reports a 72-percent increase in the number of ransomware attacks since the beginning of the pandemic. Evidence suggests that having employees working remotely significantly increases the risk of a successful ransomware attack.
Once a company has been infected, the legal considerations and challenges are multipronged. In a scenario where all systems may potentially be encrypted and an organization is no longer operational, victims must take decisive and immediate action. Victims must ask themselves:
- Does the company have the technical response capabilities in-house to respond to the incident?
- Will the company conduct the response under attorney-client privilege through an outside law firm?
- Will the company pay the ransom; how they will pay the ransom; what considerations should they consider prior to paying the ransom (such as the recent Department of Treasury Office of Foreign Assets Control (OFAC) guidance)?
- Has the company experienced a data breach?
- Will the company notify federal, state or local law enforcement?
How do I respond?
If you have not retained an incident response team on staff or on retainer, you should consider doing so as soon as possible. It is important to investigate whether your company has such a team in place, as you may have already been the victim of a security incident, ransomware or otherwise, and you may need individuals at your disposal who possess a unique background in cyber incident investigation and response. If you have a cyber insurance policy, it will set forth coverage requirements, and possibly a panel of response companies and/or attorneys you may be required to call in the event of a data breach.
Do I use an outside law firm under attorney-client privilege?
In most cases, if a company wishes to engage an outside forensics investigation team or ransomware negotiation consultant, these vendors should be engaged by outside counsel acting on behalf of the company to maintain legal privilege. Further, any reports or post-incident review should also be conducted under the advisement of the same counsel to maintain legal privilege. These issues should be discussed further with outside counsel.
Should I pay the ransom?
There are a variety of factors and risks which must be considered when determining whether to pay a ransom. While attribution of a threat actor is a long and complicated process that many times leads to a dead end, the company will need to take all possible steps to seek identification. Attribution is critical as a company will need to determine if the threat actor is, or is owned or controlled by, an entity on the OFAC, EU, UK or other applicable sanctions list. The company must also determine whether paying the ransom is permitted under applicable laws. In the US, which is a high-risk jurisdiction, OFAC laws impose sanctions against US persons (including companies) doing business with or providing or receiving services to or from governments, business entities, or individuals located in, or foreign nationals of, Cuba, Iran, North Korea, North Sudan, Syria and the Crimea region of the Ukraine. Sanctions are also imposed against individuals on various US lists, primarily those considered international terrorists, irrespective of nationality.
Further to the above, on October 1, 2020, OFAC issued an advisory to companies that pay or facilitate a ransom payment, warning them that ransomware attack victims, and third parties who assist these victims, could be in violation of federal law if they pay or facilitate the payment of a ransom to a sanctioned individual or entity, whether intentionally or otherwise. Penalties can be criminal or civil, and violations are strict liability offenses (ie, violations regardless of culpability). The fines for violations can be substantial (ranging up to $20 million and imprisonment). The advisory notes that civil penalties may be imposed for sanction violations even if the parties who initiate or facilitate the transaction did not know or have reason to know that they were engaging in a prohibited transaction. The advisory encourages victims to self-report attacks and ransom payments to law enforcement, and states that in determining the “appropriate enforcement outcome” for a ransomware payment made to a sanctioned individual or entity, OFAC will consider the victim’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement” and “[f]ull and timely cooperation with law enforcement” as significant mitigating factors.
Apart from the OFAC guidance, Anti-Money Laundering (AML) laws penalize the involvement in money laundering activities, including penalties of up to $500,000, civil penalties up to the transaction value, and imprisonment. While making a ransom payment may potentially violate AML laws, we are not aware of any prosecution activities in relation to ransom payments, though they may exist. Additionally, under the USA Patriot Act, companies are prohibited from knowingly providing material support to terrorists or terrorist organizations. Violations can result in up to life imprisonment, and/or fines of up to $250,000 (up to $500,000 for organizations). While making a ransom payment may potentially violate the USA Patriot Act, we are not aware of any prosecution activities in relation to ransom payments, though they may exist.
How do I pay a ransom?
Aside from determining whether paying a ransom is permitted in the applicable jurisdiction, the company should also look to whether its insurer will cover the ransomware payment.
A company must assess the severity of the threat, whether a restoration from backup is possible, and the overall financial impact of the loss of business per day. The different severity levels that your company uses to measure the impact, and the industry that the company is part of, also influence the legal risks. In general, high severity incidents may decrease the risk of prosecution; for example, authorities may look more favorably to a payment of a ransom to prevent loss of life than a case where payment is made to mitigate mere financial loss. Another central factor for the assessment of risk is the nature of the threat actor, whether attribution of the threat actor was possible, and whether there is evidence that the threat actor is tied to any terrorist activity or any other activity excluded under OFAC.
Other risk factors include possible ineffectiveness of the ransom payment, as the payment of a ransom does not guarantee the systems can be unlocked; previous incidents show that some threat actors have a history of not providing the decryption keys following payment. If the threat actor is known for not providing the means to unlock the affected systems, it may not be recommended to pay the ransom even if all other factors would weigh in favor of payment. Other prosecution risks should be taken into consideration, specifically in a loss-of-life situation, and where the company needs to evaluate potential sanctions in applicable jurisdictions if there is an indication that the company or its employees might be liable for the seriousness of the situation (eg, in relation to inside threat actors or insufficient system design or backup plans). Additionally, careful consideration is required in relation to the company’s security offerings as potentially both a ransom payment being made public and an unmitigated ransom attack can impair a company’s sales strategy in the area of security offerings. Finally, the payment of ransom increases the likelihood of further ransomware attacks, as perpetrators have been known to direct targeted attacks against companies who have been prepared to make ransom payments previously.
Does this mean I have been breached?
Possibly. The fact that ransomware malware has infiltrated your network could be considered a breach and further legal analysis should be conducted. Ransomware threat actor groups have developed a new tactic of egressing your data to use your data as leverage and force you into providing payment. Typically, the note will give details on how to contact the threat actor and state that if you don’t contact them within a specified amount of time, they will place some of your data online. When the threat actor validates that they have some of your data, they have most likely implemented their own operational security measures, possibly including monitoring of email and, if possible, phone communications and other means of communication. In situations like this, it is important to implement out-of-band communications using easily disposable phones, computers procured directly from a supplier and secure email systems.
Should I notify law enforcement?
The decision of whether to involve law enforcement includes many factors, such as the applicable legal requirements regarding regulatory notice, contractual requirements and the benefits in contacting law enforcement. Similarly, potential drawbacks should also be considered. Will your contact to law enforcement and any information shared with them become public? Law enforcement may want to act quickly to publicly share decryption keys at their disposal, or they may simply note your victimization and ask that you share information regarding the breach such as indicators of compromise. These factors should be analyzed closely.
As set forth above, there are multiple factors to take into consideration when your company or entity becomes the victim of a ransomware attack. If you have any questions, please contact a member of our Data Protection, Privacy and Security practice or your usual DLA Piper advisor.