Summary
- Financial restoration policy negotiations with insurance services require technical understanding.
- Because of crypto’s inherent anonymity and decentralization, tracing of ransoms demanded by cybercriminals is challenging.
Avoid. Contain. Restore. Respond. Report. The ransomware response question is then posed to attorneys: Pay? This question is often delayed by staunch no-payment policies after significant business disruption, leaving entities with less bargaining power.
Moreover, attorneys are navigating additional preliminary hurdles. The flourishing of cryptocurrency ecosystems challenges prevention and response protocols. Navigating national and international frameworks leaves patchwork vulnerabilities in best practices. Financial restoration policy negotiations with insurance services require technical understanding. Surviving a ransomware attack is not a piece of cake.
In January 2024, Merck and its insurers confidentially settled a $1.4 billion NotPetya 2017 cyberattack suit, ending a case that faced appeals and was on its way to setting US national cyber insurance precedence.
In 2017, the NotPetya malware, using EternalBlue—a stolen and publicly leaked NSA exploit—to navigate across vulnerable Windows machines, was unleashed by Russia against Ukraine and spread globally, causing approximately $10 billion in damages. Pharmaceutical giant Merck was one of the many victims across 65 countries. In 2018, the White House assigned responsibility as a “part of the Kremlin’s ongoing effort to destabilize Ukraine” and said it demonstrated “ever more clearly Russia’s involvement in the ongoing conflict.”
Courts, often ruling against insurers that try to apply the wartime exemption, placed the White House’s statement in the forefront to determine whether the White House’s assignment of responsibility met the standard for exemption. Merck initiated suits with over 20 insurers that had rejected their claims related to the NotPetya attack, alleging breach of insurance contracts about NotPetya’s disruption of sales research, sales, and manufacturing operations, causing nearly $700 million in damage. The insurer ACE American Insurance Company stated a lack of applicable coverage, invoking the “war exclusion” clause. Merck argued that the war exclusion clause doesn’t apply in this situation, believing the attack, although potentially linked to Russia, was not a traditional act of war.
Similarly, Mondelez International experienced around $100 million in global damages after the NotPetya malware infiltrated its networks and sued Zurich American Insurance Company on similar grounds of breach. In Hobart, Tasmania, computers displayed ransomware messages demanding $300 in Bitcoin and wallet access. See Leon Compton (@LeonCompton), Twitter (Jun 27, 2017, 5:13 PM) https://tinyurl.com/y7586r67. Zurich argued the act of war exemption, to which Mondelez responded that the 2016 policy update covered “the malicious introduction of machine code,” therefore covering the attack. The parties settled in November 2022.
In 2022, Lloyd’s announced changes to their cyber insurance policies to exclude losses from cyberattacks backed by nation-states, which came into effect in April 2023. Lloyd’s new policies explicitly exclude losses arising from war if no separate war exclusion is already in place, provide no coverage for losses where a country faces disruption in infrastructure and security resulting from a government-backed attack, require the listing of physical locations to be covered and criteria for attribution for state-sponsored attacks, and must use unambiguous definitions.
In addition to statewide guidance and regulations in responding to ransomware attacks, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) released updated guidance in September 2021 following increased attacks during COVID-19. OFAC discourages all payments related to ransomware attacks due to potential sanctions risks. The International Emergency Economic Powers Act (IEEPA) and Trading with the Enemy Act (TWEA) generally prohibit US persons from engaging with sanctioned individuals or entities on the Specially Designated Nationals and Blocked Persons List (SDN List), including facilitating transactions with them. Sanctions may apply to entire countries like Iran and North Korea, making any transactions with entities in those regions illegal and posing civil penalties on US actors even when they lack knowledge of the entity’s identity behind the screen.
As US entities respond to ransomware attacks, OFAC considers two main aspects in evaluating and attributing mitigating factors to apparent violations. First, the existence, nature, and adequacy of a sanctions compliance program in place and, second, the extent of reporting - including voluntary reporting - and cooperation with appropriate agencies after encountering a ransomware attack may reduce liability upon the victim entity in apparent violation. OFAC directs victims to immediately notify CISA, the local FBI field office, the FBI Internet Crime Complaint Center, or the local US Secret Service office. OFAC maintains sanctions updates online. See https://ofac.treasury.gov/recent-actions.
Digital currencies, particularly in the form of non-jurisdictional cryptocurrencies like Bitcoin, present significant challenges in the context of ransomware attacks. One of the primary issues surrounding crypto’s inherent anonymity and decentralization nature is permitting challenging tracing of ransoms demanded by cybercriminals. The pseudo-anonymity of transactions on blockchains complicates efforts to identify and track the flow of funds in ransomware schemes. The borderless nature of cryptocurrencies enables global ransomware operations, complicating jurisdictional and local law enforcement efforts.
OFAC requires that certain assets, including cryptocurrency, be blocked when associated with individuals, entities, or countries subject to sanctions programs administered by OFAC, often on the SDN List. When a US person determines that they hold virtual currency that must be blocked under OFAC regulations, that person must deny all access to the virtual currency, comply with OFAC regulations regarding the holding and reporting of blocked assets, and implement controls aligned with a risk-based approach. Individuals are to report blocked virtual currency within ten business days and annually to OFAC for as long as the virtual currency remains blocked.
In March 2020, OFAC sanctioned two Chinese nationals involved in a North Korean money laundering scheme using virtual currency. The individuals laundered roughly $100 million stolen from cyberattacks on virtual currency exchanges. Their tactics included complex transactions exceeding $1 million in digital music gift cards.
In September 2021, OFAC designated a Russian virtual currency exchange for aiding ransomware attackers. Analysis revealed that over 40 percent of the exchange’s transactions were linked to illicit activity involving proceeds from multiple ransomware variants.
Following OFAC’s regulations and considering the evolution of risks, OFAC suggests the following five best practices for all entities:
Be proactive. Be vigilant. Be smart.