Ransomware attacks have increased exponentially in recent years and COVID-19's remote work policies only contributed to how successful bad actors are in perpetrating the attacks. If your company is not currently working towards increasing cybersecurity controls, it has never been a better moment to start doing so, especially if you deal with sensitive technologies or defense industries. Ransomware is a kind of malicious software (malware) designed to block access to data, often through encryption, to extort ransom payments from victims in exchange for decrypting the data and restoring access to the data. Oftentimes, the actors launching the ransomware attack also demand money to prevent the release of sensitive data. Payment pursuant to a ransomware attack not only may threaten U.S. national security interests but also encourages and incentivizes the continuation of such attacks.
In addition to the obvious business challenges companies face when dealing with a ransomware attack, there are several U.S. government laws, regulations, and implementing agencies that companies must be mindful of in the aftermath of an attack. A few relevant agencies and important considerations include:
- Making Payment Could Trigger Economic Sanctions Violations
On October 1, 2020 the Department of the Treasury Office of Foreign Assets Control (OFAC) published an advisory that warns businesses and financial institutions of the possible U.S. sanctions risks related to payments made in the aftermath of a ransomware attack. OFAC's jurisdiction would be triggered if the malicious cyber actor includes groups and individuals that are designated on the Specially Designated National and Blocked Persons (SDN) List. U.S. persons are prohibited from engaging in transactions with SDNs, and an SDN's assets must be blocked, in other words "frozen," when these assets are in the United States or come under the control of a U.S. person (e.g., a U.S. financial institution). Additionally, some of the actors launching or supporting the ransomware attacks are in countries subject to comprehensive sanctions, like Iran and North Korea. Varieties of ransomware specifically mentioned in the OFAC advisory include Cryptolocker, SamSam, and WannaCry 2.0. In the event of a ransomware attack, there is a good chance that the party demanding payment is sanctioned or has a sanctions nexus.
A payment to an SDN or an embargoed country constitutes a violation of OFAC sanction regulations. OFAC sanctions violations are strict liability, meaning a party may be held civilly liable for violating the sanctions even if the party did not know or have reason to know that it entered a transaction with a sanctioned party. OFAC's Economic Sanctions Enforcement Guidelines (31 C.F.R. Part 501, Appx. A) provide additional information on OFAC's enforcement of economic sanctions. To prevent such violations, OFAC encourages all companies, including financial institutions and others that engage with victims of ransomware attacks, to develop a risk-based sanctions compliance program.
In the advisory, OFAC reminds companies that a self-initiated, timely, and complete report of a ransomware attack to law enforcement will be considered by the agency to be a mitigating factor. Importantly, OFAC will review license requests to facilitate a payment of ransomware demands to a party with a sanctions nexus on a case-by-case basis with a presumption of denial.
On the same day that OFAC published its advisory, the U.S. Department of the Treasury Financial Crimes Enforcement Network (FinCEN) also published a similar advisory warning financial institutions of ransomware attacks and the use of the financial system to make ransomware payments. The FinCEN advisory also discusses the increasing trend in ransomware attacks as well as some of the most common ransomware tactics, including phishing, which causes the victim to click a malicious link or download a malicious attachment, or spear phishing, a more targeted form of phishing.
The FinCEN advisory acknowledges the important role financial intermediaries play in the collection of ransomware payments, and points out the role of convertible virtual currency (CVC) in these transactions. CVCs include some types of cryptocurrency, the preferred method of payment of the perpetrators of ransomware attacks. After a CVC ransom payment, the ransomware perpetrator will often launder the CVC through various means. Depending on the facts of the transaction, certain actors in the ransom payment may qualify as performing a money transmission, which is considered a money service business (MSB) activity. Entities engaged in money transmission and other money service business activities are required to register with FinCEN as MSBs, triggering Bank Secrecy Act (BSA) obligations, including the filing of suspicious activity reports (SARs).
Per the FinCEN advisory, a financial institution is required to file a SAR if it knows, suspects, or has reason to suspect a transaction conducted or attempted by, at, or through the financial institution involves or aggregates to $5,000 (or generally $2,000 for MSBs) or more in funds or other assets and:
(1) involves funds derived from illegal activity, or attempts to disguise funds derived from illegal activity;
(2) is designed to evade regulations promulgated under the BSA;
(3) lacks a business or apparent lawful purpose; or
(4) involves the use of the financial institution to facilitate criminal activity.
Importantly, SAR obligations apply to both attempted and successful transactions, so an unsuccessful ransomware extortion attempt is potentially subject to the SAR obligation. A SAR filed in relation to a cyber attack should include all cyber-related information and technical indicators. The FinCEN advisory includes a list of red flag indicators of ransomware and associated payments and provides SAR filing instructions specific to cyber activity.
- Department of Defense
Certain companies have additional considerations besides sanctions regulations when facing such a cyberattack. In particular, defense contractors, subcontractors, and other companies having export-controlled or other controlled unclassified information must consider whether such an attack exposed controlled information in violation of the export control regulations or the Defense Federal Acquisition Regulation Supplement (DFARS).
DFARS 252.204-7012, related to Safeguarding Covered Defense Information and Cyber Incident Reporting, generally requires contractors that store Covered Defense Information (CDI), as defined in the regulation, to report the compromise of such CDI to the Department of Defense (DoD) in the event of a cyber incident, which would include a ransomware attack. Contractors subject to this DFARS provision must submit a mandatory report to DoD within 72 hours of the discovery of the cyber incident. (For more information, see our previous article, DoD Mandatory Disclosure Requirements for Export-Controlled Transfers as "Cyber Incidents.")
To better manage cybersecurity obligations under the DFARS, the DoD is instituting a new program that requires defense contractors and subcontractors to obtain a certification of compliance with cybersecurity requirements to be eligible for bidding on and receiving government contracts. The new certification is called the Cybersecurity Maturity Model Certification (CMMC) and is beginning to be required in certain government contract Requests for Proposal. (See our previous article, Department of Defense Creates Cybersecurity Certification Program.)
- Department of State and/or Department of Commerce
For companies that design, manufacture, export or otherwise handle or store export-controlled information, a ransomware attack could also potentially lead to the unauthorized release of controlled technology or technical data, as defined by the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR), respectively. Depending on the circumstances of the attack, it may be in the interest of the company to voluntarily disclose the circumstances of the attack, the export-controlled information compromised, and corrective actions taken to prevent similar attacks in the future.
Both the Department of Commerce Bureau of Industry and Security (BIS), which administers the EAR, and the Department of State Directorate of Defense Trade Controls (DDTC), which administers the ITAR, have stated that the voluntary disclosure of possible violations is viewed as a mitigating factor when assessing potential penalties. Like with economic sanctions violations, export violations are strict liability. BIS's Guidance on Charging and Penalty Determinations in Settlement of Administrative Enforcement Cases (15 C.F.R. Part 766, Supp. No. 1) provides additional information on BIS's enforcement of export violations. The ITAR does not contain guidance similar to OFAC's and BIS's enforcement guidance but 22 C.F.R. Part 127 contains information about ITAR violations and penalties, and DDTC provides additional compliance and enforcement information on its website. For detailed information on the various types of voluntary disclosures, see the Torres Law VSD Handbook.
An export violation only occurs if the malicious actor is in a foreign country or is a foreign person wherever located, and oftentimes, in the context of cyber activity, there is little or no information about the whereabouts or nationality of the malicious actor. Still, companies that experience a ransomware attack affecting export-controlled information may choose to submit a voluntary disclosure to the relevant agency because data subject to their jurisdiction has been compromised and potentially accessed by foreign persons. The calculus of whether to submit a voluntary disclosure involves a multi-factor analysis and you should consult with counsel and senior leadership depending the facts of your case.
The first line of defense for any company in the modern digital landscape is to develop and implement cybersecurity policies and procedures to help prevent a ransomware attack or any cyber-attack from occurring in the first place. But due to the increased sophistication and cyber capabilities of malicious actors, even the best prepared organizations may fall prey to a ransomware attack. If you do suffer a ransomware attack, you should contact legal counsel and the relevant U.S. law enforcement agencies. Other relevant agencies include the FBI, Secret Service, and Homeland Security Investigations. Companies that deal with the fallout from a ransomware attack, including the victims of such attacks, should have at least a basic sanctions compliance program in place, as recommended in the OFAC advisory, to prevent sanctions violations in the aftermath of an attack. Financial institutions subject to BSA obligations must determine if a SAR is required based on any transaction or attempted transaction pursuant to ransomware activity.
For defense contractors and subcontractors, and companies that maintain export-controlled information, there are other layers of compliance regulations that must be considered in the event of a ransomware attack. Defense contractors are already required to maintain minimum levels of cybersecurity and will soon require a Cybersecurity Maturity Model Certificate to bid on most government contracts. These contractors should ensure that they meet applicable DFARS cybersecurity standards as well as whichever CMMC level is required for any specific contracts. Any company that creates, stores, or handles export-controlled information should have an export compliance program in place that addresses steps to take in the event that controlled information is released. The export compliance program should be memorialized in an export compliance manual that also includes procedures for escalating potential violations and disclosing potential violations as necessary.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.