chevron-down Created with Sketch Beta.
May 03, 2024 Feature

Navigating Ransomware Attacks in the United States

Joy Momin

Avoid. Contain. Restore. Respond. Report. The ransomware response question is then posed to attorneys: Pay? This question is often delayed by staunch no-payment policies after significant business disruption, leaving entities with less bargaining power.

Moreover, attorneys are navigating additional preliminary hurdles. The flourishing of cryptocurrency ecosystems challenges prevention and response protocols. Navigating national and international frameworks leaves patchwork vulnerabilities in best practices. Financial restoration policy negotiations with insurance services require technical understanding. Surviving a ransomware attack is not a piece of cake.

Insurance Issues

In January 2024, Merck and its insurers confidentially settled a $1.4 billion NotPetya 2017 cyberattack suit, ending a case that faced appeals and was on its way to setting US national cyber insurance precedence.

In 2017, the NotPetya malware, using EternalBlue—a stolen and publicly leaked NSA exploit—to navigate across vulnerable Windows machines, was unleashed by Russia against Ukraine and spread globally, causing approximately $10 billion in damages. Pharmaceutical giant Merck was one of the many victims across 65 countries. In 2018, the White House assigned responsibility as a “part of the Kremlin’s ongoing effort to destabilize Ukraine” and said it demonstrated “ever more clearly Russia’s involvement in the ongoing conflict.”

Courts, often ruling against insurers that try to apply the wartime exemption, placed the White House’s statement in the forefront to determine whether the White House’s assignment of responsibility met the standard for exemption. Merck initiated suits with over 20 insurers that had rejected their claims related to the NotPetya attack, alleging breach of insurance contracts about NotPetya’s disruption of sales research, sales, and manufacturing operations, causing nearly $700 million in damage. The insurer ACE American Insurance Company stated a lack of applicable coverage, invoking the “war exclusion” clause. Merck argued that the war exclusion clause doesn’t apply in this situation, believing the attack, although potentially linked to Russia, was not a traditional act of war.

Similarly, Mondelez International experienced around $100 million in global damages after the NotPetya malware infiltrated its networks and sued Zurich American Insurance Company on similar grounds of breach. In Hobart, Tasmania, computers displayed ransomware messages demanding $300 in Bitcoin and wallet access. See Leon Compton (@LeonCompton), Twitter (Jun 27, 2017, 5:13 PM) https://tinyurl.com/y7586r67. Zurich argued the act of war exemption, to which Mondelez responded that the 2016 policy update covered “the malicious introduction of machine code,” therefore covering the attack. The parties settled in November 2022.

In 2022, Lloyd’s announced changes to their cyber insurance policies to exclude losses from cyberattacks backed by nation-states, which came into effect in April 2023. Lloyd’s new policies explicitly exclude losses arising from war if no separate war exclusion is already in place, provide no coverage for losses where a country faces disruption in infrastructure and security resulting from a government-backed attack, require the listing of physical locations to be covered and criteria for attribution for state-sponsored attacks, and must use unambiguous definitions.

Addressing Attacks

In addition to statewide guidance and regulations in responding to ransomware attacks, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) released updated guidance in September 2021 following increased attacks during COVID-19. OFAC discourages all payments related to ransomware attacks due to potential sanctions risks. The International Emergency Economic Powers Act (IEEPA) and Trading with the Enemy Act (TWEA) generally prohibit US persons from engaging with sanctioned individuals or entities on the Specially Designated Nationals and Blocked Persons List (SDN List), including facilitating transactions with them. Sanctions may apply to entire countries like Iran and North Korea, making any transactions with entities in those regions illegal and posing civil penalties on US actors even when they lack knowledge of the entity’s identity behind the screen.

As US entities respond to ransomware attacks, OFAC considers two main aspects in evaluating and attributing mitigating factors to apparent violations. First, the existence, nature, and adequacy of a sanctions compliance program in place and, second, the extent of reporting - including voluntary reporting - and cooperation with appropriate agencies after encountering a ransomware attack may reduce liability upon the victim entity in apparent violation. OFAC directs victims to immediately notify CISA, the local FBI field office, the FBI Internet Crime Complaint Center, or the local US Secret Service office. OFAC maintains sanctions updates online. See https://ofac.treasury.gov/recent-actions.

Cryptocurrency Considerations

Digital currencies, particularly in the form of non-jurisdictional cryptocurrencies like Bitcoin, present significant challenges in the context of ransomware attacks. One of the primary issues surrounding crypto’s inherent anonymity and decentralization nature is permitting challenging tracing of ransoms demanded by cybercriminals. The pseudo-anonymity of transactions on blockchains complicates efforts to identify and track the flow of funds in ransomware schemes. The borderless nature of cryptocurrencies enables global ransomware operations, complicating jurisdictional and local law enforcement efforts.

OFAC requires that certain assets, including cryptocurrency, be blocked when associated with individuals, entities, or countries subject to sanctions programs administered by OFAC, often on the SDN List. When a US person determines that they hold virtual currency that must be blocked under OFAC regulations, that person must deny all access to the virtual currency, comply with OFAC regulations regarding the holding and reporting of blocked assets, and implement controls aligned with a risk-based approach. Individuals are to report blocked virtual currency within ten business days and annually to OFAC for as long as the virtual currency remains blocked.

In March 2020, OFAC sanctioned two Chinese nationals involved in a North Korean money laundering scheme using virtual currency. The individuals laundered roughly $100 million stolen from cyberattacks on virtual currency exchanges. Their tactics included complex transactions exceeding $1 million in digital music gift cards.

In September 2021, OFAC designated a Russian virtual currency exchange for aiding ransomware attackers. Analysis revealed that over 40 percent of the exchange’s transactions were linked to illicit activity involving proceeds from multiple ransomware variants.

Moving Strategically

Following OFAC’s regulations and considering the evolution of risks, OFAC suggests the following five best practices for all entities:

  1. Management Commitment: Senior management should review and endorse sanctions compliance policies and procedures, allocate adequate resources to support the compliance function, delegate authority to the compliance unit, and appoint a dedicated sanctions compliance officer with technical expertise.
  2. Risk Assessment: Companies should conduct a thorough review to identify potential touchpoints with OFAC-sanctioned entities, countries, or regions, tailor risk assessments to their specific products, services, customers, and geographic locations, and use the results to develop effective compliance policies, procedures, and internal controls.
  3. Internal Controls: Policies and procedures should be designed to address identified risks, including controls for identifying, escalating, reporting, and maintaining records for transactions prohibited by OFAC sanctions, conducting due diligence on customers and transactions, identifying red flags for illicit activity, enforcing compliance measures, and remediating weaknesses to prevent sanctions violations.
  4. Testing and Auditing: Regular testing and auditing of the sanctions compliance program should be conducted to ensure its effectiveness, identify any weaknesses or gaps, and address compliance breaches through root cause analysis to prevent future violations.
  5. Training: Employees should receive comprehensive training on sanctions compliance, including understanding OFAC requirements, recognizing red flags for potential violations, and implementing internal controls effectively to mitigate sanctions risks.

Be proactive. Be vigilant. Be smart.

Entity:
Topic:
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Joy Momin

TIPS

Joy Momin practices on the business side of innovative technologies, with jurisdictional research focused in the areas of artificial intelligence, blockchain, and big data-powered processes. She has returned to the academic setting to pursue an LL.M. in the Law of Internet Technologies at Università Bocconi. Momin joined the ABA in 2022 and is active in the TIPS, SciTech, Business Law and the International Law Sections.