On 9 February 2023, the US Treasury Department’s Office of Foreign Assets Control (OFAC) and the UK Office of Financial Sanctions Implementation (OFSI) designated seven Russian individuals, alleged to be associated with Trickbot Group, a Russia-based cybercrime gang responsible for the development and deployment of ransomware attacks. These coordinated sanctions stemmed from the UK’s National Crime Agency’s identification of ransomware strains known as Conti and Ryuk that had targeted individuals, corporations, universities, and hospitals in the UK, Europe, and the United States; and they reflect the increasing risk posed to companies by ransomware syndicates.
Against the backdrop of increased cybercrime risks, companies find themselves faced with heightened expectations from regulators to prevent ransomware attacks and conduct sanctions due diligence into ransomware payments. For instance, regulators may consider a company’s compliance program and its cybersecurity practices when considering cybercrime-related enforcement actions. Accordingly, it may be prudent for companies to take advance steps in order to mitigate the risk of falling prey to a cyber-attack and finding themselves in the uncomfortable position of needing to consider whether to accede to a ransom demand. Below, we detail data protection risks and requirements, sanctions risks in relation to ransomware payments, and key considerations for companies mitigating cybercrime concerns.
Data protection risks and requirements
Ransomware attacks can cause tremendous damage to affected companies - especially when services are disrupted or when trade secrets or sensitive employee, supplier, or customer data are exfiltrated by cybercriminals that threaten to publish them. Under data protection laws in many jurisdictions, ransomware attacks will constitute a “breach of data security” and may require victims to notify data protection authorities of such attacks within tight deadlines and inform individuals whose personal data was affected by the attack. In some jurisdictions (such as the EU or UK) the question of whether a company must inform individuals or not depends on various risk factors, including the sensitivity of affected data, and the likelihood and severity of potential harm from the breach. Any decision in this regard should be based on a risk assessment of all relevant information that is available at the time.
Informing affected data subjects individually raises the prospect that some of them may raise civil claims and seek damages, as they are often advised to do so by claimant law firms. They may argue, for example, that sufficient protective measures were not in place prior to the breach or that the breach was not handled diligently. In this context, whether a company has paid a ransom or not and consequently whether the attackers promised not to publish any of the exfiltrated data is not typically considered a risk-mitigating factor by authorities. Instead, to reduce the risk of regulatory investigations and potential enforcement proceedings by authorities, companies should concentrate on setting up a communication strategy, including a clearing process, as well as a comprehensive remediation plan to ensure that any vulnerabilities in their IT security concept are properly addressed at short notice, and that any risk of harm to individuals is minimized.
Sanctions risks in relation to ransomware payments
Regulatory guidance generally discourages ransomware payments due to the low efficacy of making such payments and the risk that payments could be made to or for the benefit of a sanctioned person or a terrorist, or otherwise promote the criminal ecosystem. For instance, OFSI’s guidance on sanctions and ransomware (the OFSI Guidance) - which builds on the UK’s recently implemented Cyber (Sanctions) (EU Exit) Regulations 2020 - notes that ransomware payments to cybercriminals may “perpetuate the threat and sustain the criminal marketplace.” OFAC’s analogous guidance on sanctions and ransomware (the OFAC Guidance) states that making a ransomware payment does not “guarantee that companies will regain access to their data or be free from further attacks themselves.” Similar statements have been issued by many law enforcement authorities all over Europe. Both the OFSI Guidance and OFAC Guidance remind companies considering making or facilitating a ransomware payment to consider sanctions risk in relation to such payments. Many ransomware threat actors are already the subject of sanctions, and even dealings with non-sanctioned attackers may risk indirect dealings with or on behalf of persons or territories targeted under US, UK, and/or EU sanctions.
Companies that choose to pay or facilitate ransomware payments run the risk of violating sanctions or anti-terrorism laws, and a person subject to regulatory jurisdiction runs the risk of being held strictly liable for making a ransomware payment to a sanctioned person - even if the payer did not expressly know or have reason to know that it was engaging in a prohibited transaction. Conducting sanctions screening prior to making any ransomware payment mitigates but may not fully eliminate that risk, since it is usually difficult to identify the beneficiaries of the payment.
A company’s decision of whether to make a ransomware payment must not be taken lightly. Paying a ransom will often be consequential and will usually carry very real practical and legal risks. Such decisions should generally only be taken at a very senior level within an organization and only following a comprehensive assessment of those risks. There are several steps companies might want to consider taking to mitigate some of those risks, such as:
- Implement a risk-based sanctions compliance program. OFAC Enforcement Guidelines state that it will consider the existence, nature, and adequacy of a risk-based sanctions compliance program in determining the appropriate action in response to an apparent violation of sanctions. An effective risk-based compliance program should be able to address sanctions risks in potential ransomware payments and may include: (1) management commitment; (2) periodic risk assessments; (3) internal controls; (4) testing and auditing; and (5) training.
- Improve cybersecurity practices. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a Ransomware Guide that contains recommended cybersecurity practices. These practices include (1) maintaining offline backups of data; (2) developing incident response plans; (3) instituting cybersecurity training; (4) regularly updating anti-malware software; and (5) employing recommended authentication protocols. These steps, particularly those that address improving the resiliency of systems including through robust backups - also increase the likelihood that a company will be able, for example, to simply incur a delay while systems are brought back online rather than have to pay a ransom. The OFAC Guidance states that OFAC will consider the proper implementation of practices identified by CISA to be a “significant mitigating factor in any OFAC enforcement response.”
- Report ransomware attacks to appropriate law enforcement and/or regulatory authorities. The European Union Agency for Cybersecurity (ENISA) regards contacting the authorities as the most important recommendation when falling victim to a cyber attack, saying in its threat landscape report on ransomware attacks published in July 2022 that “Information sharing is one of the cornerstones of cybersecurity”. The OFSI Guidance states that ransomware victims should report to and cooperate with OFSI, the Information Commissioner’s Office and law enforcement (including Action Fraud and the National Cyber Security Centre) at the earliest opportunity. Additionally, the OFAC Guidance explicitly states that OFAC will consider an appropriate report to law enforcement or other relevant U.S. government agency, such as CISA or Treasury’s Office of Cybersecurity and Critical Infrastructure Protection, to be a voluntary self-disclosure. Consistent with OFAC’s Enforcement Guidelines, voluntary self-disclosure is a significant mitigating factor in any OFAC enforcement action and is “more likely to result in a non-public response (i.e., a No Action Letter or Cautionary Letter).”
- Involve ransomware and legal experts. In a ransomware scenario, companies may also consider hiring a reputable ransomware negotiations firm, or similar, that can perform sanctions screening on potential payees and payment vehicles, and verifies those checks with the company. These experts can support the recovery of stolen data and can also provide helpful insights on the attackers and their likely identity. Additionally, companies might consider involving legal experts and competent authorities to assess risks in relation to corporate, data protection, criminal, and sanctions laws.
Companies will likely continue to face an increase in cybercrime and ransomware attacks. At the same time, regulators have greater compliance and cybersecurity expectations of companies. Taking steps now may not only help a company safeguard against a debilitating ransomware attack, but could also help mitigate against potential sanctions risks and even penalties.