United States: A Guide To Navigating Cyberattacks Involving Ransom Demands

Given the ongoing prevalence of ransomware incidents, companies should be prepared and know what to expect in the event your organization is suddenly faced data exfiltration followed by ransom demands.

First, organizations should be aware of the various types of ransomware attacks. Some common ones include:

• Single Extortion. This is where a threat actor encrypts files and systems and demands a ransom payment in exchange for a decryption key. The victim loses access to files and systems but not possession. Over time, companies adapted to single extortion attacks by improving data backups.
• Double Extortion. In this type of attack, the threat actor encrypts and exfiltrates files. The threat actor threatens to publish the exfiltrated files on a "name and shame" data leak site or the Dark Web.¹
• Triple Extortion. In this type of attack, the threat actor encrypts files, extracts files, and launches distributed denial of service ("DDoS").
• Quadruple Extortion. The threat actor encrypts files, extracts files, and launches DDoS attacks, and directly communicates with a victim's employees, customers, or other stakeholders, warning them that their exfiltrated data will be leaked unless the victim pays up.
• No Encryption/Locking of Data. This is where the threat actor does not bother with locking down the victim's systems, and simply takes data that it later holds for ransom. For example, a threat actor may threaten to publish the information it took on the dark Web, unless a ransom payment is made.

Second, firms should expect a decision on whether to negotiate with a threat actor – and if so, decisions relating to the negotiation process -- to be a large part of the incident response. If a victim decides to engage in negotiation, it should consider retaining a ransomware negotiation expert to open a line of communication with the threat actor. If negotiations do take place, they will be under intense time pressure and without knowledge of the threat actor's identity. The negotiation expert will first attempt to identify the ransomware variant and determine the likelihood of data recovery based on past practice. Because the scope and nature of the attack may be unknown to the incident response team, the negotiation expert will gather intelligence about the attack during the course of negotiations as well. The negotiation expert will likely also attempt to procure "proof of life" or proof that the threat actor can indeed decrypt and restore access to the compromised data or systems. This can entail demanding that the threat actor send a decrypted file or decrypt a portion of the system prior to payment.

U.S. government interagency guidance "does not encourage paying a ransom to criminal actors" but notes that "[w]hether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers."²

Organizations would be well advised to consult experienced data incident response counsel regarding potential legal implications of ransom payment to foreign entities.

U.S. persons are generally prohibited from transacting with individuals or entities on the U.S. Treasury's Office of Foreign Assets Control's ("OFAC") Specially Designated Nationals and Blocked Persons List, other "blocked" persons, and individuals or entities covered by geographic embargoes or sanctions.³ OFAC's SDN list includes ransomware group names, related URLs and dark web addresses, individuals, server IP addresses, and email addresses. OFAC issued a public advisory in October 2020 warning that facilitating the payment of a ransom to a blocked or sanctioned entity can result in civil monetary penalties.⁴

Even though ransom payment facilitators do not know who exactly is on the other side of the negotiating table, OFAC may still impose civil penalties based on strict liability, meaning that a person may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a blocked or sanctioned entity.⁵ However, OFAC generally does not pursue enforcement actions against ransom payors that unwittingly transact with blocked or sanctioned entities.⁶ Negotiation experts may have their own OFAC due diligence protocols to guard against facilitating a payment to a sanctioned individual or entity.⁷ Consulting with legal counsel is also strongly recommended.

Third, regardless of what decision a company ultimately makes regarding ransom, it is helpful to be aware of recent ransom trends.

Although data on ransom demands and payments may be somewhat unreliable, Coveware reports that 37 percent of ransomware attacks that it handled in Q4 2022 involved a ransom payment.⁸

This figure is part of a larger trend of fewer companies paying ransoms over time, down from an 85 percent peak in Q1 2019.⁹

Coveware reports that the average ransom payment for the incidents it handled was $408,644 in Q4 2022,¹⁰ while Unit42's incident response data yielded an average ransom payment of $541,010 for 2021.¹¹

Overall, U.S. financial institutions processed about $1.2 billion in ransomware payments in 2021.¹²

Fourth, organizations should coordinate with insurers and any insurance counsel regarding ransom decisions and always check the specifics regarding available coverage and amounts.

As discussed in the prior article in this series, organizations that fall victim to ransomware attacks should also consider engaging its cyber-risk counsel which should provide guidance on a victim's data breach disclosure and notification requirements and take advantage of privilege protection as permitted by law. And victims should also consider deploying an incident response team to assess the criticality of compromised systems and availability of backup and recovery mechanisms.

Ultimately, as with all data breach incidents, the process for responding for ransomware attacks should involve robust and comprehensive data breach response.

A robust ransomware response will likely involve an organizations' insurers, cyber incident response counsel, incident response teams – which may involve forensic experts -- and as discussed, may also involve specialized ransomware negotiators. Experienced teams can be invaluable in helping guide companies through these increasingly common, and frequently highly complex, incidents.

Footnotes

1. The Marriage of Data Exfiltration and Ransomware, Coveware (Jan. 10, 2020), https://www.coveware.com/blog/marriage-ransomware-data-breach.

2. Federal Bureau of Investigation, Alert Number I-100219-PSA, High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations (Oct. 2, 2019), https://www.ic3.gov/Media/Y2019/PSA191002.

3. U.S. Dep't of the Treasury, Specially Designated Nationals and Blocked Persons List (SDN) Human Readable Lists, http://www.treasury.gov/sdn (last visited Mar. 21, 2023).

4. U.S. Dep't of the Treasury, Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Oct. 1, 2020), https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf.

5. See 50 U.S.C. § 1705(b); In re Crim. Complaint, 2022 WL 1573361, at *2 (D.D.C. May 13, 2022).

6. Alex Lakatos et al., The Extraterritorial Reach of U.S. Anti-Terrorism Finance Laws, 14 No. 10 Elec. Banking L. & Com. Rep. 1 (June 2010).

7. How OFAC Sanctions on SamSam Ransomware Impacts Future Victims, Coveware (Nov. 29, 2018), https://www.coveware.com/blog/2018/11/29/iranian-samsam-ransomware-identified-by-ofac-and-doj?rq=OFAC.

8. Improved Security and Backups Result in Record Low Number of Ransomware Payments, Coveware (Jan. 20, 2023), https://www.coveware.com/blog/2023/1/19/improved-security-and-backups-result-in-record-low-number-of-ransomware-payments.

9. Id.

10. Id.

11. Unit 42, Ransomware Threat Report 2022 (on file).

12. FinCEN, Ransomware Trends in Bank Secrecy Act Data Between July 2021 and December 2021 (Nov. 1, 2022), https://www.fincen.gov/sites/default/files/2022-11/Financial%20Trend%20Analysis_Ransomware%20FTA%202_508%20FINAL.pdf (examining ransomware-related BSA filings between July 1, 2021 and January 31, 2022).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.