#and thus has been among the people who have been extraordinarily patient with me the last six months
Explore tagged Tumblr posts
Note
everyone "puts up" with you on our dash? My dear you are my highlight!! Whenever I see you on my dash I am happy!!! Like you are such a kind soul? And you are insanely good at writing, GIFs and being kind!!! Smh "put up". I love seeing you!
nonny what if i. cried
#this is really sweet ;u;#thank u so very much i'm glad you're happy <3#i'm suppressing the urge to hide under a rock#ah. ack. nonny this is about my reply to romi right?#romi is one of my rasmr mutuals#and thus has been among the people who have been extraordinarily patient with me the last six months#as i pivot to a wildly different fandom and start spamming long gifsets all over everyone's dash at all hours of the day#so to that extent that's mostly what i mean by. putting up with me. but. [smacks brain with rolled-up newspaper] thank u again :') ilu#rowan asks#nonny#:')
6 notes
·
View notes
Text
https://techspy.com/user/home/billyroy687
Working with a professional massage https://forums.envato.com/u/billyroy687/summary therapist is an increasingly well-liked natural pain relief modality, and several people realize that the healing power of bit could be a great addition to their pain relief plan. Many doctors counsel massage therapy to their patients because it is such an efficient, affordable, and enjoyable natural pain relief method.Relaxation is another nice approach to bring relief into your life and keep additional https://www.newgrounds.com/bbs/topic/1452952#bbspost26508177_post_text comfortable when you experience pain. Meditation, respiratory techniques, and https://pastebin.com/akEc3a5J creative visualization are all common ways that that folks realize peace and luxury once they are experiencing pain. Relaxation could be a straightforward method to offer yourself a great relief whenever you wish it.The tissue develops into painful growths and adhesions, that respond the https://www.ultimate-guitar.com/forum/showthread.php?t=2018363 same method traditional uterus tissue responds during menstrual periods--it breaks down and bleeds. But, this blood has no exit points, https://quomon.com/Question/Preview/3271947 thus inflammation happens, therefore leading to pain. Therefore, many ladies constantly obtain solutions to endometriosis pain relief because the condition is extraordinarily painful.Hormonal Therapy. Hormonal therapy has proven time and time once more to be a very successful option for endometriosis pain relief. Completely different hormones can be used, like oral contraceptives https://www.tapatalk.com/groups/flexamove/index.php (estrogen and progesterone together), Gonadotropin-releasing hormones https://techspy.com/user/home/billyroy687 (GnRH analogs), progesterone medicine, and danazol (a weak male hormone Surgery. In some severe cases, surgery could be necessary so as to receive endometriosis pain relief. Conservative surgery choices can remove growths ensuing in endometriosis pain relief; however, for ladies who experience debilitating pain, radical surgery could be needed. A hysterectomy will take away http://tupalo.com/en/users/2348098 endometriosis-ridden ovaries to finally offer endometriosis pain relief. INVARIABLY get a 2nd and third opinion before https://weheartit.com/entry/345218269?utm_campaign=welcome&utm_medium=email&utm_source=welcome-email you progress forward with this feature.Pain comes in several forms, the most obvious being physical pain, in which someone experiences feelings of discomfort or hurt at intervals the body. Not all physical pain is unhealthy, nor is it necessarily related to illness; ask any https://allfungames.com/user/billyroy687/ lady who has been through the birthing method, or a kid proudly showing off their new tooth. Similarly, the pains felt after you break your arm, Kcut your finger or haul yourself up https://www.bookcrossing.com/forum/14/568590 and about after doing two hundred sit-ups the day gone by are all traditional and healthy messages. Your body in its automatic self-preservation mode is alerting you to the very fact that it's experienced trauma - just in case you hadn't noticed!However, some physical pain can become chronic. Chronic pain is pain that continues day in, trip, while not any signs that the matter is resolving itself! https://www.buzzfeed.com/billyroy687/harga-flexamove-7pvpikavv Do you recognize what I'm referring to? It might have at its roots a long-term https://www.colourlovers.com/lover/billyroy687 or presently incurable illness, or may have been caused by injury or perhaps a former operation. Some chronic pain may not even have a plain supply; however its existence is keenly felt.Individuals who live with chronic pain will usually testify that it affects their quality of life. It will physically forestall them from being able to participate in various activities of traditional life, that then often results https://www.dead.net/member/billyroy687 in feelings of helplessness or maybe depression. For a few, there seems to be no https://www.behance.net/billyroy escape from the endless state of pain.If the feelings I have just described sound acquainted as a sufferer of chronic pain, I am certain that you would welcome any reasonable solution to assist alleviate - and potentially remove - your symptoms. Some sufferers are willing to try any manner of pills, remedies https://www.bloglovin.com/@billyroy8 and therapies in the hope of finding relief. They typically flip to medication or even surgery in their quest for Jchronic pain management, however https://www.couchsurfing.com/people/billyroy687 somewhere within the subconscious mind, the pain is still terribly real. It's clear that an alternate method of chronic pain management is needed.I suggest that you think about pain relief hypnotherapy. It's been clinically documented that pain relief hypnosis works. In an exceedingly report printed in 2001, The British Psychological Society found that "...hypnotic procedures are effective within the https://www.daniweb.com/members/1185893/billyroy687 management and relief of each acute and chronic Jpain and in helping in the https://www.goodreads.com/topic/show/21502003-harga-flexamove alleviation of pain, discomfort and distress because of medical and dental procedures and childbirth".While not obtaining too anatomical, let me explain that pain signals are sent via your nerves through your body and into your brain. As a pain relief hypnotherapist, I utilise the techniques of Hypnosis and NLP to change the approach in that those pain signals are processed by the brain. As https://www.instapaper.com/u/1 an outcome, the pain you perceive or feel will either be greatly Jreduced or controlled. How is this attainable? https://in.pinterest.com/billyroy787/ Put simply, when you're in a relaxed state, your body is calmer - and when your body is calmer, the pain you feel is lessened.Pain relief hypnosis offers a distraction from the pain you're feeling by allowing you to experience an altered outlook. It is a terribly natural and non-invasive technique https://www.scribd.com/user/515277080/Billy-Roy of healing for each body and mind. There are several edges to undergoing pain relief Jhypnotherapy; perhaps one among https://www.smore.com/u/billyroy?flash=updated the most engaging - alternative than the relief experienced, after all - is that hypnosis offers a healing possibility which is non-medication based mostly and so not habit-forming.Is there pain relief for sciatic nerve pain which is quick, effective and permanent? It depends on how severe your sciatica is - https://www.swellnet.com/forums/politico/495861 there are of course, painkillers, gentle exercise of the correct kind, anti-inflammatory medicine and surgery. Fortunately, not all sciatica issues want to https://discussions.viki.com/u/billyroy687_195/activity be cured with invasive procedures; generally, painkillers together with some exercise will bring relief to most sufferers. Aspirin and ibuprofen are sensible for mild cases of sciatica and these are available over-the-counter. Your doctor might prescribe one amongst the non-steroidal anti-inflammatory drugs (NSAID) which will be very effective pain relief for sciatica pain, https://www.edocr.com/user/billyroy687 but, if the pain continues, you may require stronger drugs, like those with codeine. These are available only by https://www.mmo-champion.com/members/1477077-billyroy687 prescription and, as codeine could be a narcotic, there's continuously the danger of dependency.Some doctors suggest taking muscle-relaxing drugs for sciatica pain. The pain you are suffering may be the results of your piriformis muscle tightening up and compressing the sciatic nerve which runs through it and a muscle relaxant can bring https://www.hoobly.com/p/RfiXu real pain relief for sciatica pain sufferers. The downside of relaxants is that they cause https://www.houzz.com/pro/webuser-743473197/harga-flexamove drowsiness, putting you in danger after you drive a automobile.Thus several people suffer from sciatic pain that researchers have studied the consequences https://www.kongregate.com/forums/1-kongregate/topics/1913725-harga-flexamove of exercise as a protracted-term remedy. Provided the exercises are tailored to your particular condition by your doctor or a licensed personal trainer, you may find that they will alleviate the worst symptoms http://www.imfaceplate.com/billyroy687/face and result in a drug-free pain relief for sciatic nerve pain. These exercises are designed to strengthen http://www.kweeper.com/billyroy687/sentence/6526601 your lower back and core muscles which, after all are the muscles that support your spine.However, if of these choices are unsuccessful, surgical intervention might be the answer for you. Typically, herniated discs will be the source of the problem and the remedy could be surgery, in that the herniated disc is removed - the procedure is named "micro-discectomy" https://www.last.fm/user/billyroy687 or micro-decompression and is terribly effective.
0 notes
Text
I see another mountain to climb / but I, I got stamina
My most recent few posts have been about Renaissance Periodization (RP) and the success I’ve had with it. Given that I’m one week from finishing my second (and hopefully final) RP cut, it seems like a good time to summarize the past year, give a quick recap of my time on maintenance, and set myself up for next week’s ‘finish line’.
My first cut started in May 2017, and was a smashing success by pretty much any measure. (Here are the links to the back story, the tipping point, some of the logistics, and the final result in August 2017.) In fact, it was such a success that for a long time, I naïvely thought—or perhaps ‘fervently hoped’ is a better phrase!—that I would be ‘done’, potentially even ready for a muscle gain cycle, right after finishing that first cut. However, the more reading I did, the more I realized that it wasn’t going to work out that way, for two primary reasons. First, because I had (and still have) a lot more work to do on my gymnastics before adding pounds back on—and second, because, although I didn’t get professionally measured, the general consensus among those in the know was that—despite very significant weight loss—my actual body fat percentage likely still wasn’t low enough to take full advantage of a massing cycle. (Ideally, you want to be below 20% before you start, because that’s the zone at which you’ll theoretically achieve the most advantageous muscle-to-fat ratio when gaining.) The combination of those two truths, therefore, put me staring resignedly down the gun barrel of a second cut.
The big question was whether or not I should go ahead and attack Round II over the Thanksgiving/Christmas holidays versus wait to get started until January. The vast majority of people would likely have opted to wait, and there were certainly a host of reasons to do so (starting with maple-bacon Brussels sprouts and ending with peppermint bark). However, I opted to proceed, for the following reasons:
—I ‘felt ready’ mentally and emotionally—which is not a small thing. This is RP’s general take on maintenance, and I was, objectively, back to that mindset—eyeballing my portions, not feeling any particular emotional attachment to food, keeping only a loose eye on the scale, and feeling minimal guilt over cheat meals. (This was, incidentally, one of my biggest takeaways from RP—a dramatically healthier approach to food and eating that had also, somehow, become far more intuitive and ‘easy’ than any nutritional mindset I’d had in the past.)
—With regard to the CrossFit Open (which starts in late February): although I could see a solid argument for both approaches, my gut sense for my particular situation was that it would be more logical to shave off a few more pounds beforehand. Different athletes react differently to cutting (and have different baseline strengths and weaknesses to begin with)—but, based on my first RP experience as well as my specific individual makeup of CrossFit skills, my hope was that if I got the cut out of the way, that the lighter body would lend itself to a bit more continued gymnastics progress than maintenance might have allowed, after which I’d be done in time to have a solid month of training—and properly fueling—at my new maintenance size prior to the Open. (As a rule, the Open tends to lean toward lighter, faster movements rather than super heavy barbells—and although nearly 40 pounds of total weight loss means I’ve inevitably lost some degree of ground on almost every barbell lift in the past year, I still felt as though I’d rather ‘level the playing field’ as much as I could in terms of my skill toolbox.) The alternative approach—spending the holidays on maintenance and cutting in January—would have meant bigger strength regains, but potentially smaller gymnastics progress, and then would also have meant being in a caloric deficit / sub-optimally fueled at a time when I’d want to be able to perform at my best.
—For better or for worse, I’m single, live alone, and don’t have any family nearby. Therefore, I actually have a decent amount of control over my food intake and my social obligations, even at the holidays. I knew I would be home with my family for Christmas, but I also knew, objectively, that two or three days of slightly looser reins wouldn’t ruin twelve weeks of discipline.
—As a bonus, my CrossFit coach had casually planted the (earth-shattering, to me) idea that I could potentially get a muscle-up by the New Year, and I figured that cutting again in Nov-Dec would give me a stronger chance at proving her right! :)
So the decision was made. A holiday cut it would be.
For details on the logistics of RP, or details of my previous cut, it’s easier to refer back to the links above. However, to summarize, I had somehow succeeded in doing things almost exactly right—had cut down to a nadir of 144.6 lb, then (appropriately) regained about 3 lb during maintenance, and had maintained that weight without much effort (or even looking at the scale, really). For informational purposes, I started tracking my daily weights prior to officially starting this second cut, and was comfortably sitting around 147.5 (though my official weekly starting average ended up being 148.5, thanks mostly to the long weekend in NYC that I treated as my ‘last hurrah’ prior to starting—let the record show that if you spend five days hanging out with marathon runners, you will eat well!).
My goals for this cut were: (1) to get my first muscle-up—this was really the primary goal, (2) to get below 20% body fat, thus opening up the potential option of a future muscle gain cycle, and (3) to maintain around 140# after I finished—therefore, the loosest of the goals was to hit a scale number of 136#.
However, I also set one important rule. Aware that I had spent the vast majority of the preceding year in a caloric deficit and that I had knowingly shorted myself slightly on my maintenance phase (ten weeks instead of twelve), I was suspicious that this cut might well be harder than my first. Therefore, I made sure to clearly outline my ‘why’ to myself—and it didn’t take much soul-searching to determine that my most powerful motivator was not a scale number or a clothing size; it was to get the muscle-up. Therefore, I was firm from the very beginning that I would not go past Cut 2 (the second of the three cut phases), even if I did plateau and stop losing weight at that level. The next tab (the most aggressive phase) involves slashing levels of carbohydrates, which would be counterproductive for someone with a primary goal of performance. I’m well aware of the ‘tunnel vision’ that can result when cutting at this level, and nearly every day—sometimes more than once a day—I’ve quietly reminded myself of the larger goal, and the fact that I needed to be okay with gracefully withdrawing from this fight if my body were to show me that it was done.
Those of you with basic mathematical abilities have probably already glanced at the calendar and determined that I did not, in fact, plateau to any kind of significant degree—which still amazes me (my body is such a trooper!). RP recommends calculating a weekly average weight (since there are so many reasons for water fluctuations from day to day), and tweaking the macronutrient approach based on the speed at which that average drops. Although I had to move to the second (more aggressive) tab significantly faster than I did the first time around, and although my rate of loss has definitely slowed down over these past couple of weeks, it hasn’t clearly stopped, so I’m in this for the long haul.
At this point, I have six and a half more days; my DEXA scan is set for Friday the 26th at 11am. It’s purely informational—I will be maintaining for a minimum of six months no matter what the numbers show; I’m well aware that my body, brain, and metabolism have earned a long rest!—but I have to admit, I’m incredibly curious. This has been almost a full year of hard work, and I do hope to see that reflected.
As far as the other two goals, my nadir on the scale thus far (a couple of days ago) was 136.7 lb—which I’m perfectly thrilled with, even if I don’t see that number again in the next six days—and the muscle-up is also tantalizingly close. All the pieces are there—five unbroken strict pull-ups, three strict dips, sharp transitions on the low rings, strong hollow swings on the high rings—and I’ve graduated to performing official muscle-up ‘attempts’; all I have to do now is mentally figure out the right combination of cues that will let me successfully assemble the pieces. I’m creeping a teeny, tiny bit closer each time I try—and, in an odd way, the anticipation is truly part of the fun.
My CrossFit coach (who told me firmly, way back in Week 2, that she wasn’t going to ‘let me’ cut again once these twelve weeks were up!) has been incredibly patient; she is nearly as proud and excited as I am about how much gymnastics progress I’ve made, and at this point, she is of the mindset that the scale no longer matters and that it’s time to focus on “getting STRONGER, not ‘lighter’.” Although I didn’t totally believe her back in the fall, I’m in full agreement now. I truly don’t need or want to be any leaner, either for performance OR aesthetics—which is both an empowering realization and an extraordinarily unfamiliar one—and it well may be that the first few days of maintenance, when I get to start adding slightly more fuel to this smaller body, may be the tipping point that allows the muscle-up to happen. But I’m getting ahead of myself.
There will be another post forthcoming next week, with a lot more detail about the day-to-day grind of these past twelve weeks. As with the first time around, I’ve learned and observed new things just about every single day—and, ‘hanger’ aside, it has been an overall very rewarding road, yet again. But I’ve been putting one foot in front of the other for eleven weeks now, and although I’m so grateful for this experience now that it’s (almost) in the rear view mirror—at this point, I am also admittedly tired, impatient, and ready for some peanut butter.
#RP#RPstrength#goals#progress#nutrition#RPcut#cutting#weightloss#transformation#hardthingsarehard#renaissanceperiodization#crossfit#muscleup#gymnastics#athlete#gym#fit#fitness
0 notes
Text
Healthier and Alternative Methods of Cannabis Consumption
This interesting article has been sent to me by a Canadian citizen on behalf of MMJ Canada.
What you can do to make your Marijuana a healthier choice!
Oh sweet, sweet Cannabis...
Have you been curious about the medicinal benefits of cannabis, but have been held back because of the idea that you must smoke it? Well, you might want to read this!
There are few things so controversial in today’s modern societies other than Marijuana. By far, the most used illicit drug in the world, cannabis has gained quite a reputation for itself over the last few centuries, despite its use over the last few thousand years. For as long as our species can remember, we have probably used marijuana in one way or another. It is only recently that such a negative stigma has been assigned to marijuana, and those who use it. Despite this however, there have been those who have continued to use cannabis not only for recreational purposes as many want to believe, but for medicinal purposes as well.
Today, as we have done for millennia, marijuana is being used as a legitimate medication. In more and more places around the world, the medicinal value of cannabis is being recognized, and used to help improve the lives of individuals across the world. However, despite the advancements in the interest, research, and even legalization of cannabis, many people still have quite a few concerns about marijuana, and especially when it comes to how it is consumed. Smoking and lung cancer have become so closely linked, and for good reason, that many people are losing out on the benefits of cannabis, not understanding that there are alternative methods. Today, we will be exploring the world of healthier, alternative methods to the smoking of cannabis. You might be surprised at what options are out there, and what might be a perfect fit for you!
The Benefits of Cannabis:
Now, before we get too far into this section, it is important to know that this is only going to be a brief overview and introduction as to the possible* medical benefits of cannabis consumption. First of all, let’s go over some facts:
There is no record of anyone over dosing on cannabis, ever; plain and simple.
Marijuana, in one form or another, has been used by us humans for millennia for spiritual, and medical purposes just like many other herbs were used.
Today’s marijuana is a great deal stronger than it was, even a few decades ago.
Preliminary research shows that Marijuana can be extraordinarily beneficial in treating a variety of ailments.
The medical properties of cannabis are difficult to fully gauge because of the lack of large scale testing. “So far, researchers haven't conducted enough large-scale clinical trials that show that the benefits of the marijuana plant (as opposed to its cannabinoid ingredients) outweigh its risks in patients it's meant to treat.”
So, what can we make of all of this? Well, there is a reason that we have been using marijuana for so long, and fight so fervently to legalize and normalize its use. Cannabis can help with chronic pain, various mental disorders, sleep problems, appetite problems, and some research has even shown that cannabis can help fight cancer! Epileptics find a great deal of relief in marijuana, and research even shows that it can help stagnate the opioid epidemic. There are so many benefits that result from the consumption of cannabis (differing in some ways, but all generally the same on the method of consumption).
With all of these benefits, why then is cannabis so controversial? Well, that will depend on who you ask, but in this day and age there really is no reason. Areas with legal cannabis show lower rates of drug, and opiate abuse, as well as crime, and of course the patients who need it can benefit from the medical aspects. Big pharmaceutical companies, along with even the paper, and Tobacco industries want to see anything but cannabis become legal, for that could lead to the decline of their industries. As of 2017, the United States Drug Enforcement Agency, the “Drug Tsar” himself could not answer to the senate why cannabis was still illegal and admitted that more research was required to confirm its medical properties.
With all of these possible benefits, it is no wonder that so many people are turning to cannabis as an alternate to the myriad of medications that they may be on to help them. Cannabis really might be a legitimate option for many people to turn to. Only time will tell what the future holds for the legality of marijuana, but it seems that the patients who use it seem to already know the answer. Many people are turning to cannabis to help them with their medical problems, however many of them are stopped in their tracks if and when they realize that cannabis involves smoking. Or at least, that is the old stereotype. Many people are turned off of Marijuana consumption because of this, and not without reason. But in truth, there are so many healthier, and alternative ways to consume cannabis, that no one need miss out.
Alternative Options:
Since the idea of smoking marijuana, or anything at all really, can be absolutely taboo to some people, and for good reason, just look at the health effects, and thus they rule out cannabis as a medicinal herb all together. Too many people associate cannabis with smoking, that they never even consider what other options are out there. While of course it is understood why many individuals do not want to smoke, or be around it; there are many misconceptions about the cannabis medicinal industry as a whole.
But guess what! Smoking, while still probably the most common form of cannabis consumption, is by far not the only, and is indeed the least healthy for you! There are many other options out there, so many in fact you will probably surprised! Today, we will be going over some of these alternatives, what they are, who they are for, and basically just what they are! Let’s explore the world of medical cannabis!
Alternatives to Smoking:
Now, finally, we will briefly go over many, if not all the alternative ways to consume cannabis! Some of these you have probably heard of, while others will be wholly new!
Capsules: Easily one of the most common and popular choices on this list, possibly do either to its ease of use or quick, and strong acting effects.
Edibles: One of the oldest forms of cannabis consumption aside from actually smoking, strong and fast acting. Often very potent, these are a clear favourite among many users.
Oils: One of the newer players on the scene, this is a form of concentrate, typically of just the CBD or THC, put into an oily substance that can be used for various purposes, including being consumed.
Syringes: Definitely one of the more serious options on this list, and only for those who really need it and have no other options, not for the faint of heart for sure. You can bet this will be one of, if not the strongest option here.
Topicals: Just as you would expect by the name, these specific products are applied to the skin; such as lotions etc. and are for more local issues.
Vaping: Taking the world by storm as an alternative to cigarette smoking, vaping has also made its way into the cannabis world. Vaping cannabis, which can come in a variety of forms all on its own, gives the effects of smoking, but is much easier on one’s lungs.
Gummies: Going along with the edibles, these are typically like the childhood vitamins you are more familiar with, and are used in the same ways.
Concentrates: Again, another umbrella category, concentrates include things like wax and shatter. This is consumed via vaping, or dabbing, and is the purest form of marijuana we have today. Reaching even around 90% THC in some cases.
Tinctures: Again, another older option for this list, as tinctures have been used for various purposes for centuries, cannabis and non-cannabis related. Placed under the tongue, these are great for the elderly or children suffering from various ailments.
Drinks: A new option, made out of syrup made from cannabinoids, you can make soda, coffee, tea, and many other drinks. Fast acting, and strong, this is a great option for many.
Of course there are going to be many pros and cons to each method of usage, and often times it will come down to either physical limitations, or personal preference, so it’s up to you!
Conclusions:
What is now hopefully quite apparent, is that the world of cannabis is so much more than just smoking. While of course that is still the most common, and a large part of the overall marijuana culture, it is by far not the only way to get cannabinoids into your body. If you have been interested in the benefits of cannabinoids, but have been held back by the fear of smoking, well now you have your answers! There is almost something for everyone, and with the sheer variety of choices out there, you are bound to find something that works for you! So get out there, and find it!
automatically copied from Paul Flynn - Read My Day http://ift.tt/2h9Y8Eu (hopefully before Mr Flynn has revised it).
0 notes
Text
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance
John Stark Reed
Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.
I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
****************************
In the 2000 American thriller film Proof of Life, the title refers to a phrase commonly used to indicate proof that a kidnap victim is still alive. As an expert negotiator in kidnapping cases, Terry Thorne, played by Russell Crowe, is engaged to bargain for a corporate kidnap victim’s safe return.
The film Proof of Life is not just a compelling narrative – its premise and main character also provide some useful insights into managing the emerging threat of ransomware. Ransomware, a special and more nascent type of malware, prevents or limits users from accessing their data, by locking system screens or user files, unless and until a ransom is paid.
Proof of Life’s screenplay was partly inspired by Thomas Hargrove’s book The Long March to Freedom, which recounts how the release of the once-kidnapped Hargrove was negotiated by Thomas Clayton, the founder of his eponymous kidnap-for-ransom consultancy Clayton Consultants (now part of risk management firm, Triple Canopy).
Just like Clayton Consultants, the team advising a ransomware victim company, whether a hospital or global corporate conglomerate, must employ a thoughtful, careful and methodical protocol to survive the ransomware crisis. Like any hostage situation, when a cyber-attacker locks up critical data files, the logistics and legalities of ransomware refusal, acquiescence or capitulation can be both elaborate and complicated.
To make matters worse, seeking law enforcement help for a ransomware attack unfortunately remains a very limited option. First, law enforcement has become inundated with ransomware reports and lacks the resources and wherewithal to assist victims. Second, most of the ransomware attackers are overseas, where merely obtaining an electronic evidence or interviewing a witness, let alone successful extradition and prosecution, are rarely possible. Finally, ransomware demands are often at monetary levels in the hundreds or thousands of dollars – too small to warrant federal law enforcement consideration while clearly outside of the jurisdiction of local law enforcement.
Thus, it should come as no surprise that a significant number of ransomware victims opt to pay the ransom. When padlocked files are business-critical (e.g. an important intellectual property formula); when encryption cannot be defeated (no matter how good the code-breaker) or when time is of the essence (e.g. when patient data is needed for life-saving surgery), paying the ransom can become the proverbial best worst option. Moreover, the typically de minimus ransomware payment demands (on average, about $679) are more akin to a financial nuisance than a material fiscal line-item, so from a cost-benefit perspective, payment can make the most sense.
Under any circumstance, ransomware has quickly become a novel, multifaceted and emerging risk to all corporate enterprises, and like any other material risk, should be addressed and mitigated in a reasonable, lawful, robust and effective manner.
This article provides guidance on the legal issues, logistical considerations and financial implications when managing ransomware threats, including an exposition of the unique issues which can arise when seeking proof of life and opting to meet the monetary demands of ransomware attacker.
What is Ransomware?
Ransomware is a type of malicious software that infects a computer and restricts users’ access to certain data, systems and/or files until a ransom is paid. Ransomware can come in many forms and iterations and like any other virus or infection, ransomware can evolve and transmogrify to counter cyber-defenses and remediation. Although only a fraction of ransomware attacks are actually reported to federal authorities, the U.S. Department of Justice reports over 4,000 ransomware attacks occur daily.
A ransomware victim company’s files are rarely exfiltrated by a ransomware attacker, rather the attacker encrypts the files so a victim company cannot access them. Then the hacker offers to sell the encryption key to the victim, typically payable in an anonymizing online crypto-currency such as Bitcoin. The usual ransomware demand comes with a deadline — after which time, the ransomware attacker threatens that the key will be destroyed or will expire, rendering the kidnapped files forever inaccessible. In many cases the ransom note that hijacks the victim’s screen is accompanied by a digital clock ominously ticking down the minutes and seconds from 72 hours. When the timer expires, the ransom demand usually goes up or even doubles – or the data is permanently locked and henceforth unrecoverable.
Bitcoin and other convertible crypto-currencies have become the keystone to current ransomware schemes, rendering the transactions practically untraceable and well suited for criminal transactions. Unlike the sequence of events during to a common kidnapping scenario, where the exchange of money arguably places criminals in their most vulnerable position, virtual kidnapping of ransomware actually facilitates anonymity throughout the Bitcoin transaction process.
Ransomware Growth
According to a recent study by IBM, spam emails loaded with ransomware increased 6,000 percent in 2016 compared with 2015, comprising almost 40 percent of all spam messages in 2016. Another report, from cybersecurity firm Symantec, cited 460,000 ransomware attempts in 2016, up 36% from 2015, with the average payment demand ballooning from $294 to $1,077, a 266% increase. Ransomware attacks have grown almost exponentially for several reasons:
The ransomware business model works, with the FBI stating that ransomware is on pace to become a one billion dollar source of income for cybercriminals in 2017;
Ransomware start-up costs are cheap. Ransomware software is readily and easily available – and is extraordinarily inexpensive. Ransomware is available for rent; for purchase or even in kits for building. Indeed, 60 percent of the Internet’s top sites sell ransomware; and
Ransomware schemes are typically successful. One recent study found that 70 percent of business victims paid the hackers to get their data back. Of those who paid, 50 percent paid more than $10,000 and 20 percent paid more than $40,000.
Ransomware attacks target the most vulnerable part of a company’s computer networks: people. The primary attack vector for ransomware is an employee who has clicked on a file or a linked he or she should not have clicked. That employee may be:
An accidental insider (e.g. an inattentive employee infiltrated due to inadvertent behaviors or broken business processes);
A compromised insider (e.g. a targeted employee via social engineering and infiltrated due to malware infections or stolen credentials); or
A malicious insider (e.g. a so-called bad leaver or criminal insider who infiltrate via corporate espionage and sabotage).
Ransomware is sometimes embedded in seemingly legitimate downloads such as software updates or resume files. Fake Adobe Flash updates are a notorious Trojan horse for delivering ransomware because Flash is such a ubiquitous add-on to most Internet browsers. Once inside a network, some ransomware can seed itself to additional computers or other devices via SMS messages or a user’s contact list.
What makes ransomware countermeasures challenging is the evolution of ransomware variants. There has been a tremendous increase in ransomware strains – reaching almost epidemic proportions. Indeed, new ransomware strains are now being created to tap into the mobile user base, which can impact both personal and business information, already dramatically expanding the ransomware threat landscape, diversifying and expanding their platforms, capabilities and techniques in order to accrue more targets.
Per recent reports, in the third quarter of 2011, about 60,000 new variants of ransomware were detected. That number doubled to over 200,000 in 2012; quadrupling to over 700,000 variants from 2014, to the first quarter of 2015. In the first quarter of 2016, security firm Kaspersky Lab revealed 2,900 new “modifications” of existing ransomware, a 14% increase from the last quarter, and a 30% increase from the previous quarter.
As the Internet of Things begins to establish a foothold in daily life, ransomware growth seems poised to become more severe and more widespread. Market forecaster Gartner expects 6.4 billion connected devices will surround us in the home and workplace this year, a $30 billion market by the year 2020. This growing network of Internet-connected household devices, from Samsung refrigerators to Nest thermostats, will undoubtedly render individuals and corporations increasingly vulnerable to ransomware attacks.
Recent Ransomware Attacks
While ransomware has beleaguered victim companies for much of the last decade, a recent global spate of ransomware attacks has prompted intense media coverage and worldwide apprehension and concern.
For instance, in April 2017, a ransomware group known as Shadow Brokers coopted a ransomware exploit (nicknamed Eternal Blue) from the U.S. National Security Agency, and took advantage of a Windows vulnerability, targeting a wave of hospitals. The ransomware extortion demands impacted more than just corporate operations and secrets; suddenly, a cyber-attack impacted the lives of sick hospital patients, prompting an almost international hysteria.
The vulnerability, patchable for new Microsoft systems but not necessarily for older systems upon which many hospitals were running, was dubbed “WannaCry” or “WannaCrypt” ransomware, and according to Europol, claimed over 200,000 victims in over 150 countries.
Similarly, in late June 2017, another strain of ransomware hit at least six countries, including and primarily Ukraine, where it was blamed for a large and coordinated attack on key parts of the nation’s infrastructure, from government agencies and electric grids to stores and banks. According to Microsoft, this outbreak, referred to as NotPetya – aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya and Diskcoder.C – resulted in “a less widespread attack” than WannaCry, aka WannaCrypt.
As a result of NotPetya ransomware, A.T.M.’s in the Ukraine apparently stopped working; workers were forced to manually monitor radiation at the old Chernobyl nuclear plant when their computers failed; and data security personnel at companies around the world — from Maersk, the Danish shipping conglomerate, to Merck, the drug giant in the United States — were reportedly scrambling to respond. Even an Australian factory for the chocolate giant Cadbury was affected.
Though more sophisticated than WannaCry and employing the same Eternal Blue server message block exploit, NotPetya’s global impact was reportedly blunted by its own limited attack capabilities (e.g. by a default setting, the infected system reboots after 60 minutes, and the malware does not persist after the reboot). “This means that the threat can only do lateral movement and exploitation of other machines during this limited time,” Microsoft says. “This reduced the reach of the attack.”
Law Enforcement and Ransomware: The Official View
The official line from federal law enforcement with respect to Ransomware is: Report the Incident and Don’t Pay. Specifically, the FBI warns:
“The FBI doesn’t support paying a ransom in response to a ransomware attack . . . Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. [B]y paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The FBI also warns that paying ransomware does not guarantee that a victim company will obtain from the attacker a working key to rescue their data. The FBI is aware of cases where either the attackers fail to hand over the correct decryption key or are unwilling to comply with the original ransomware demands after payment is received. According to Trend Micro research, nearly 33 percent of firms that pay the ransom when attacked by ransomware fail to get their data back. The FBI also urges ransomware victims to report ransomware attacks immediately and seek help from the FBI in handling the situation.
Along similar lines, during an emergency meeting to address the WannaCry ransomware attacks, Tom Bossert, Homeland Security Advisor to President Donald Trump, discussed the perils of ransomware payment, and warned that victims could still lose access to files even after making a payment:
“Well, the U.S. government doesn’t make a recommendation on paying ransom, but I would provide a strong caution. You’re dealing with people who are obviously not scrupulous, so making a payment does not mean you are going to get your data back.”
Law Enforcement and Ransomware: The Unofficial View
In some public settings, the FBI has warned that, without paying a ransom, victim companies may not be able to unlock their kidnapped data from ransomware attackers who use Cryptolocker, Cryptowall and other potent malware strains.
“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people to just pay the ransom . . . The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”
Indeed, the Ponemon Institute reported in a 2016 study that 48% of businesses victimized by ransomware paid the ransom (average ransomware payment being $2,500), while a similar IBM Security study found that 70 percent of business victims paid the ransom during that same period.
Even some law enforcement officials themselves have decided to cut their losses by paying off the purveyors of ransomware. For instance, in the Massachusetts townships of Tewksbury and Swansea, ransomware attackers made off with $500 and $750 bounties, respectively. Elsewhere, police departments in the Chicago suburbs of Midlothian and Dickson County, Tenn., also paid ransom amounts to ransomware attackers. That even law enforcement officials have opted to cut their losses by succumbing to, and paying off, ransomware attackers demonstrates how oddly commonplace ransomware payments have become.
Counsel as Quarterback for Ransomware Response
Ransomware is a crime, has significant regulatory implications and can involve important legal responsibilities and liabilities. At a minimum, ransomware schemes run afoul of the federal computer crime statute, 18 U.S.C. § 1030, and particularly subsection (a)(7), which forbids hacking intended to extort something of value from the victim.
Above all else, the legal ramifications of any ransomware incident or failure can be calamitous for any public or private company. Even the most traditional realms of IT dominion such as exfiltration analysis, malware reverse engineering, digital forensics, logging review and most technological remediation measures are rife with legal and compliance issues and a myriad of potential conflicts.
For instance, after a cybersecurity incident such as a ransomware attack, law enforcement, regulators, vendors, partners, insurers, customers and others may:
Request forensic images of impacted systems;
Demand copies of indicators of compromise;
Mandate that their own auditors or examiners visit sites of infiltration and conduct their own audit and investigation;
Want to participate in remediation planning;
Seek interviews and interactions with IT personnel;
Require briefings from a victim company’s forensic experts and data security engineers; or
Ask to attach a recording appliance to a victim company’s network in hope of capturing traces of attacker activity, should an attacker return.
These requests raise a host of legal issues, including how exactly to respond to each request and whether any response would violate the privacy of customers; be at odds with commercial agreements; result in a waiver of the attorney-client or work product privileges; or have any other legal/compliance consequences.
Because so many incident response issues are critical to the very survival of a company, who else but the GC can oversee and direct investigative workflow, commanding the investigation and remediation for the C-suite, sharing with senior management the ultimate responsibility for key decisions, while having the responsibility and duty of reporting to the company’s board.
Ransomware and the Attorney-Client Privilege
Attorney involvement, awareness, leadership, and direction are not the only essentials for managing the quagmire of legal issues arising during a ransomware response. GC involvement also triggers the protections afforded by the attorney-client and work product privileges, a critical component in the response to data security incidents.
The involvement and direction of counsel in the context of any investigation will presumably apply to the work product produced not only directly by the legal team members but also by the outside advisors, including the digital forensic investigators engaged by internal or outside counsel.
This is standard practice in the context of any other type of investigation – a cyber incident is no different. There is nothing nefarious or extraordinary about this approach, it is a time-honored and tested standard operating procedure. The involvement of counsel establishes a single point of coordination and a designated information collection point.
Counsel as quarterback of ransomware response also enhances visibility into the facts, improves the ability to pursue appropriate leads and, most importantly, ensures the accuracy and completeness of information before it is communicated to external audiences. Otherwise, incomplete and/or inaccurate information could be released, only to have to later be corrected or even retracted.
Ransomware Notification Requirements
Although typically involving locking up data (rather than accessing, targeting or exfiltrating data), a ransomware attack could still be deemed the type of data security incident which triggers a legal notification requirement, including notice to:
State regulators (per state privacy statutes, rules and regulations);
Shareholders (per SEC disclosure obligations);
Vendors, partners and other entities (Many companies now incorporate rigorous cybersecurity notification requirements into their contracts, which can trigger when a victim company experiences a ransomware attack.);
Insurance carriers (especially if a victim company plans to make an insurance claim, relating to the ransomware attack);
Customers (when the data of a customer, such as a hospital patient, is impacted by a ransomware attack, a victim company may have very specific legal obligations to notify that customer); and
Any other constituency who may have a vested interest in a victim-company.
With respect to state regulatory notifications there is some grey area worthy of mention. In the United States, 52 jurisdictions (including 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) have enacted some version of a data breach notification law. Under these laws, notification may be required for any customer whose personally identifiable information (PII) was acquired or accessed, or reasonably likely to have been acquired or accessed. While most states require some form of notice to their residents of a data breach, depending on applicable legal standards, some states also require notification to public agencies, such as the state attorney general.
The threshold issue is a technological one – probably best determined by a digital forensics expert and couched in legal terms. For instance, if the data is encrypted or otherwise “locked” through an automated process, companies could argue that the data was never accessed by an unauthorized party, which is the standard that typically triggers state breach notification laws.
On the other hand, though the mere encryption of data may not trigger the notification rules, the viewing, copying, relocating and altering of information can. Digital forensics and malware reverse engineering can provide some clue with respect to the impact of a ransomware attack and help assess some of the lesser state thresholds (such as in states like Connecticut, Florida, Kansas, Louisiana and New Jersey) where the definition of a breach also includes accessing of protected health information.
With respect to some of the more onerous and specific federal notification rules, such as under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), digital forensics analysis can also provide critical information relating to disclosure requirements. For instance, HHS rules generally state that hospitals need only report attacks that result in the exposure of private medical or financial information, such as malware that steals data. Whether ransomware’s data encryption crosses that legal threshold can be challenging to determine, which is why ransomware attacks and other data security incidents at health care organizations often go unreported.
In addition, under the new EU General Data Protection Regulation, effective May 25, 2018, there is a requirement to notify the supervisory authorities without undue delay (no later than 72 hours) after becoming aware of a data breach, unless it is unlikely to cause a risk to the affected individuals. The fines for violating this regulation are significant—up to 4% of global annual turnover or €20 million (whichever is the higher), so any late notification will need to be justified.
Ransomware Investigative Tactics
While determining the bona fides of a ransomware strain is always challenging, an experienced digital forensic examiner can find some answers by searching for some of the more typical cyber-indicators. Ransomware malware is characteristically a type of tool, which is not only known to most professionals, but may even be readily available for purchase online. If the name and modus operandi of the ransomware is new or otherwise unknown, rather than a victim firm being “patient zero,” the ransomware may turn out to be bogus.
Digital forensic experts can also research the Bitcoin payment address; the malware message; any relevant phishing emails; and any other of the ransomware’s characteristics in data security research forums and internal archives, to analyze recent commentary about the ransomware and test its efficacy and validity.
There are also a range of digital forensics tests to initiate upon an infected file to assess a ransomware strain’s actual efficacy. For instance, one simple test is to return the file name to its original form. Real ransomware changes the file extension of encrypted files. The Ransomware files may not be encrypted but just renamed to provide the illusion of encryption to cajole a ransom payment. A digital forensics expert can also investigate the severity of the attack; reverse-engineer the malware that has taken control of victim data; and attempt a full-fledged data recovery.
Ransomware Payment
In cases where a particular ransomware attack cannot be fully mitigated, an experienced digital forensics firm can broker and validate a solution that minimizes the cost of recovery and prevents further extortion from the attacker.
Paying off the ransomware attackers typically entails: 1) sending the secret ransomware key file now stored on the victim’s computer; 2) uploading that file (or data string) to the attackers together with a Bitcoin payment; and 3) awaiting a decryption key or a tool a victim can use to undo the encryption on the victim company files. This is a complex and challenging process.
First off, a digital forensics firm can help a ransomware victim navigate the maze of setting up an account to handle Bitcoin, getting it funded, and figuring out how to pay other people with it. A digital forensics examiner may even be able to construct a payment scheme where rendering ransomware payments is conditional. By using cryptocurrency features to ensure that ransomware attackers cannot receive their payment unless they deliver a key, there can exist some added level of security and reliability upon the transaction. One ransomware response expert, notes:
“ . . A ransomware developer could easily perform payment via a smart contract script (in a system like Ethereum) that guarantees the following property. This payment will be delivered to the ransomware operator if and only if the ransomware author unlocks it — by posting the ransomware decryption key to the same blockchain.”
Ransomware attackers may portray the entire ransomware payment process as more akin to an ordinary business transaction than an international extortion scheme. In fact, some recent ransomware attackers purportedly even offer a victim company a discount if the victim company transmits the infection to other companies, just like referral programs of Uber or Lyft.
However, while a ransomware payment process may seem straightforward and rudimentary, the reality is far more complicated and rife with challenges. No ransomware payment process can guarantee that the ransomware attacker will provide a decryption key. The ransomware scheme may be nothing more than a social engineering ruse, more like an old fashioned Nigerian Internet scam than a malware infection – and the payment could end up being all for naught.
Indeed, ransomware attackers may no longer have the encryption key or may just opt to take a ransom payment, infect a company’s system, and flee the crime scene entirely. Not only is the system of paying in untraceable Bitcoin risky, but the transaction in its entirety is so risky, it hardly seems palatable. Nonetheless, the number of victim companies that pay ransomware demands continues to grow at an alarming rate.
The Legalities of Ransomware Payment
Though the FBI has hinted at the possible illegality of paying a ransomware demand, the FBI has never specifically stated that the payer could actually be charged with a crime. It would seem rather obvious that with respect to any criminal statute, actions taken under duress do not ordinarily constitute a crime. Moreover, the ransomware attacker possesses the criminal intent, not the victim who agrees to pay. However, there is little specific legal authority on the subject of payment and negotiation with ransomware attackers, so the legalities of payment are worthy of some analysis.
In general, legal commentary and case law regarding ransom payments is limited. However, in a germane 2011 British case, Masefield AG v Amlin Corporate Member Ltd (The Bunga Melati Dua), relating to maritime piracy and ransom demands for safe return of the vessel and crew, the court faced a somewhat analogous scenario. Specifically, the British Court of Appeal held that there was no general public policy argument against paying ransoms, stating that:
“…there is no universal morality against the payment of ransom, the act not of the aggressor but of the victim of piratical threats, performed in order to save property and the liberty or life of hostages. There is no evidence before the court of such payments being illegal anywhere in the world. This is despite the realization that the payment of ransom, whatever it might achieve in terms of the rescue of hostages and property, itself encourages the incidence of piracy for the purposes of exacting more ransoms. (Perhaps it should be said that the pirates are not classified as terrorists. It may be that the position with regard to terrorists is different).”
Though addressing hostage ransoms, and not ransomware, former President Barak Obama provided a similar message in his Statement by the President on the U.S. Government’s Hostage Policy Review (June 24, 2015):
“I firmly believe that the United States government paying ransom to terrorists’ risks endangering more Americans and funding the very terrorism that we’re trying to stop. And so I firmly believe that our policy ultimately puts fewer Americans at risk. At the same time, we are clarifying that our policy does not prevent communication with hostage-takers — by our government, the families of hostages, or third parties who help these families . . . In particular, I want to point out that no family of an American hostage has ever been prosecuted for paying a ransom for the return of their loved ones. The last thing that we should ever do is to add to a family’s pain with threats like that.”
Ransomware and the FCPA
The Foreign Corrupt Practices Act of 1977 (FCPA) prohibits payments to foreign government officials to assist in obtaining or retaining business or directing business to any person. Laws such as the FCPA reflect an alternative approach to deterring bribes, by penalizing those on the payment side of the transaction.
Specifically, the FCPA prohibits giving something of value for the purpose of: “(i) influencing any act or decision of [a] foreign official in his official capacity, (ii) inducing such foreign official to do or omit any act in violation of the lawful duty of such official, or (iii) securing any improper advantage … to obtain or retain business for or with … any person.” The law provides an affirmative defense for payments that are “lawful under the written laws and regulations” of the country.
Given the FCPA threshold requirement that a payment must be made to assist in obtaining or retaining business for the individual or company or directing that business to another person, a ransomware scenario does not appear to trigger the FCPA.
However, FCPA’s enforcement can provide a useful analogy when considering the legalities of paying a ransomware demand. U.S. companies often face extortionate demands from foreign police, bureaucrats, and regulators, who threaten to hold, expel, or even harm employees if ransoms are not paid. And there have always been questions whether those involuntary payments can violate the FCPA. The DOJ-SEC Guidance on FCPA addresses this issue, stating:
“Does the FCPA Apply to Cases of Extortion or Duress? Situations involving extortion or duress will not give rise to FCPA liability because a payment made in response to true extortionate demands under imminent threat of physical harm cannot be said to have been made with corrupt intent or for the purpose of obtaining or retaining business.”
This notion, that under FCPA an individual is not guilty of a criminal offense when forced to do so by duress or extortion, is confirmed in United States v. Kozeny, 582 F.Supp.2d 535, 540 (S.D.N.Y. 2008). Specifically, in the Kozeny decision, the United States District Court for the Southern District of New York ruled that extortion or duress under the threat of imminent physical harm would excuses the conduct (essentially negating a corrupt intent), stating:
“ . . . while the FCPA would apply to a situation in which a “payment [is] demanded on the part of a government official as a price for gaining entry into a market or to obtain a contract,” it would not apply to one in which payment is made to an official “to keep an oil rig from being dynamited,” an example of “true extortion.” The reason is that in the former situation, the bribe payer cannot argue that he lacked the intent to bribe the official because he made the “conscious decision” to pay the official. In other words, in the first example, the payer could have turned his back and walked away—in the latter example, he could not.”
Whether the “economic duress” of a typical ransomware attack would rise to the level of “true extortion” as described in the Kozeny decision remains untested, and might be viewed as insufficient to excuse conduct from sanctions under the FCPA.
The FCPA could also potentially apply in ransomware scenarios where the cyber-criminal has a known connection to a foreign government. While the concealed identity of cyber-criminals involved in ransomware attacks likely prevents a payer from knowing that a payment violates the FCPA, the issue could still arise when a digital forensic expert identifies a ransomware attacker’s modus operandi to be that of a state sponsored organization (e.g. from Russia, North Korea or Iran).
Foreign Sanctions and Ransomware
Like the FCPA, international sanctions regimes are also designed to prevent payments to certain designated payees, institutions, and countries who are enemies of the U.S, such as terrorists and terrorist organizations. In the United States, the Treasury’s Office of Foreign Asset Controls (OFAC) supervises these programs, such as the Trading with the Enemy Act and the International Emergency Economic Powers Act (IEEPA).
Under these Acts, ransom payments (whether directly or indirectly through an intermediary) to Foreign Terrorist Organizations (FTOs) or Specially Designated Global Terrorists (SDGTs) identified by OFAC, are illegal under U.S. law. Monetary contributions to FTOs are considered material support under 18 U.S.C. 2339B, while transfers to SDGTs are violations of economic sanctions imposed pursuant to the IEEPA.
For example, in a February 2017 cyber-attack against the British National Health System, the attackers appeared to be ISIS and in particular, the Tunisian Falange Team, which posted graphics and pictures decrying at the war in Syria. Whether a similar attack against a U.S. hospital, with a similar evidentiary trail indicating terrorist attribution, would trigger the limitations imposed OFAC is unclear and untested. However, any digital forensic findings of a ransomware attack indicating terrorist attribution or involvement is certainly worthy of consideration when contemplating a ransomware payment.
Ransomware and Conspiracy
Whether a payer of a ransomware demand can be held to have entered into a conspiracy with the ransomware attacker seems unlikely and contrary to the public interest. A conspiracy is an agreement with another that a criminal course of conduct is to be pursued. Ransomware payments do not appear to be the kind of agreements contemplated by conspiracy statutes, but instead are forced arrangements dictated by a ransomware attacker.
However, other profiting and culpable participants in the Bitcoin payment scheme to pay a ransomware attacker might find themselves facing criminal penalties. Anthony Murgio, who recently pled guilty to operating as a money transmitter without a license in 2015, was also charged with violating Title 18 U.S.C., Section 1030(a)(7) and sentenced to 5 ½ years in prison. Federal prosecutors alleged that Murgio and his co-conspirators benefitted from transactions providing victims with Bitcoin to pay off ransomware demands. The Murgio indictment states:
“As part of the unlawful Coin.mx scheme, Anthony P. Murgio, the defendant, and his co-conspirators knowingly processed and profited from numerous Bitcoin transactions conducted on behalf of victims of ransomware schemes…By knowingly permitting ransomware victims to exchange currency for Bitcoins through Coin.mx, Murgio and his co-conspirators facilitated the transfer of ransom proceeds to the malware operators while generating revenue for Coin.mx.”
Unlike a ransomware payer, Murgio was a part of the payment process and clearly facilitated the ransomware transactions with unclean hands – possessing the kind of felonious intent required for money laundering criminal liability. Crypto-currency sellers or exchange operators may be caught up in legal trouble if: they have avoided or neglected reporting requirements or have not registered as a money transmission business (like Murgio), or, if they were criminally complicit with the ransomware attackers.
The distinction seems clear: if a Bitcoin seller actively aided and abetted a ransomware attacker, knowingly profiting from the scheme, the Bitcoin seller could be criminally liable. However, if a digital forensics firm made Bitcoin available to a client and provided technical advice as to how to pay in Bitcoin, then, like Thomas Clayton in Proof of Life, criminal liability seems wholly inappropriate.
Ransomware: To Pay or Not To Pay
For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, does not appear to break any laws – and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination — almost like a cost-benefit analysis.
The arguments for rendering a ransomware payment include:
Payment is the least costly option;
Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up);
Payment can avoid being fined for losing important data;
Payment means not losing highly confidential information; and
Payment may mean not going public with the data breach.
The arguments against rendering a ransomware payment include:
Payment does not guarantee that the right encryption keys with the proper decryption algorithms will be provided;
Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime;
Payment can do damage to a corporate brand;
Payment may not stop the ransomware attacker from returning;
If victims stopped making ransomware payments, the ransomware revenue stream would stop and ransomware attackers would have to move on to perpetrating another scheme; and
Using Bitcoin to pay a ransomware attacker can put organizations at risk. Most victims must buy Bitcoin on entirely unregulated and free-wheeling exchanges that can also be hacked, leaving buyers’ bank account information stored on these exchanges vulnerable.
Ransomware Remediation
There are a slew of basic steps companies should take as preemptive measures to avoid falling prey to ransomware, including backing up systems and employing the latest cybersecurity measures. Other measures include:
Updating operating systems, software patching, antivirus programs and firewalls;
Taking steps to detect and block ransomware through firewalls and intrusion detection monitoring, including setting alerts for anomalous behavior;
Revisiting backup protocols to ensure that a crypto-attack is classified as a potential disaster with appropriate contingency plans;
Enabling popup blockers;
Employing IT professionals or consultants familiar with ransomware, who stays current with evolving iterations and variants; and
Implementing a strong password policy requiring all users to regularly change passwords and require more complex passwords, i.e. mixture of lower and uppercase letters, numbers, and symbols;
Reviewing and auditing all network permissions in your network while updating and deactivating all user accounts regularly, including departing employees;
Rigorous employee education and outreach;
Securing long and short-term backups, stored in a manner detached from a company’s network;
Intense screening of partners and vendors to ensure strong security procedures from associated third parties;
Thoughtfully and securely segmenting sensitive user and corporate data within a corporate network; and
Changing network and Wi-Fi passwords regularly.
Along the same lines, the FBI urges organizations to be vigilant keeping browsers, operating systems and third-party application patch levels up to date, and that antivirus protection is also current. The FBI also suggests companies back up often, lock down access granted to individuals and manage configuration of file systems, directories and network shares appropriately.
By setting snares and “honeypots” for would-be ransomware attackers, companies can go so far as to employ drastic and direct preemptive measures. For example, Deception Technology sets its trademarked HackTraps to misdirect ransomware attackers and prevent them from going deeper into a corporate network and reaching their intended target. These traps can be as simple as a document with a deceiving title that was created exclusively to lure in the cybercriminals.
A digital forensic expert can also help a victim company develop and implement a containment plan to isolate any additional infections and provide strategic recommendations to prevent further ransomware attacks and otherwise mitigate their impact.
It may be hard to believe, but when handled correctly, a customer data compromise or data security incident like a ransomware attack can actually become the kind of successful failure that not only prompts remediation that strengthens technological infrastructure, but also reinforces a firm’s commitment and focus upon its customers, partners and other fiduciaries.
Ransomware and Business Continuity Plans
The critical importance of a business continuity plan in the event of a natural disaster is widely recognized and accepted. Yet, too often, such plans are not evaluated in the context of assessing cybersecurity risks such as ransomware.
Even when an organization’s IT cybersecurity response fully aligns to IT best practices, there are benefits in utilizing or integrating IT’s response into the existing business continuity structure, rather than having two separate response models. Speed and agility are key enablers in ransomware response, and business continuity enables nimble, rapid response limiting financial and reputational impact on the enterprise.
A powerful business continuity plan, which is properly integrated with an incident response plan, contemplates the threat of ransomware and plans for data recovery, such as with specialized back-up data systems that are routinely tested and updated as necessary.
Ransomware and Cyber Insurance
Like any other corporate risk, companies are beginning to realize that the financial, operational and even reputational risks of a ransomware attack can be addressed via a comprehensive and targeted cyber insurance policy. Over 60 insurance companies now offer cyber insurance, many containing specific provisions addressing ransomware. In 2015, ransomware accounted for just over 10% of cyber insurance claims, but in 2016 that figure grew to 25%.
Currently, most cyber insurance policies are modular, which means an organization chooses from a menu of coverage options, such as business interruption, third party liability for privacy breaches and first party coverage for an organization’s own costs to detect, stop, investigate and remediate a network security incident.
Ransomware typically falls under “first party” liabilities as cyber extortion and network interruption. When making a cyber insurance claim for ransomware, a victim company should be prepared to demonstrate that: the ransom has been surrendered under duress; the incident is not a hoax; there was c-suite participation in the ransomware payment decision; the insurance company approved of the ransomware payment plan; and the ransomware attack was reported to law enforcement.
Making an insurance reimbursement claim for a Bitcoin payment is also tricky, even with respect to valuation and execution. Challenges include proving to an insurance company: that a Bitcoin payment was made; that a Bitcoin payment was for a particular amount of U.S. dollars; and that a Bitcoin transaction was documented in an acceptable and verifiable manner.
Thus, a ransomware victim company may have to engage a professional intermediary to pay the attackers, and then seek reimbursement for the fees paid to the digital intermediary. Otherwise, an insurer might have no way to audit a process involving Bitcoin and therefore refuse to recompense Bitcoin payments. Cyber insurance might also not cover the full amount of the ransomware or may have in place a high deductible amount (for large organizations the deductible could be $500,000 or as high as $5 million).
Without a specific ransomware cyber insurance policy, a victim company would have to look to the breadth of their professional liability and other insurance policies, which can give rise to ambiguities and disputes. For example, the presence of any sort of terrorism exclusion can become problematic. For instance, insurance policies may have “acts of foreign enemies” or “government acts” exclusions that can limit reimbursement if the ransomware was distributed by cyber-attackers tied to a foreign government;
In addition, whether a ransomware victim company must show “physical damage” can also become an issue. In the typical ransomware scenario, a victim company’s data is not actually damaged but is rather, “locked.” An insurance company may argue that like other cyber-attacks, where a victim’s data was accessed, but not otherwise disturbed, altered or exfiltrated, then the victim has no insurance claim; and
Some companies who do not have cyber insurance, may turn to their kidnap insurance for coverage relating to ransomware attacks. Kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas of danger, such as where violence related to oil and mining operations is common (like parts of Africa and Latin America).
K&R policies, which typically do not have deductibles, can cover the ransom payments as well as crisis response services, including getting in touch with criminal and regulatory authorities. Whether K&R coverage, which was not designed for ransomware, will cover ransomware costs and expenses will always be a matter of the specific policies involved.
To get the most out of cyber coverage for ransomware attacks, companies should work closely with their brokers, their insurers, their outside counsel and their own internal experts and executives to fully understand their particular ransomware risks. For now, the most effective cyber insurance policies are bespoke, and given the rapidly evolving nature of cyber-attacks, will continue to require custom-tailored fitting for quite some time.
Just like other kinds of insurance, ransomware coverage by itself will rarely be enough to make a company whole after a cyber-attack, but it can provide critical financial resources. Moreover, when coupled with a thoughtful and diligent incident response, a sound ransomware insurance policy can send a powerful message of strong business acumen; fierce customer dedication; and steadfast corporate governance, demonstrating profound expertise to the marketplace, shareholders, regulators and the many other interested corporate stakeholders.
Final Thoughts
When confronted with a ransomware attack, the options all seem bleak. Pay the hackers – and the victim may not only prompt future attacks, but there is also no guarantee that the hackers will restore a victim’s dataset. Ignore the hackers – and the victim may incur significant financial damage or even find themselves out of business. The only guarantees during a ransomware attack are the fear, uncertainty and dread inevitably experienced by the victim.
Even under the best-case scenario, where a victim has maintained archives and can keep their business alive, the victim companies will incur significant remedial costs, business disruptions and exhaustive management drag. Moreover, having a back-up storage solution in place is not always ideal; not only can outside storage of data create additional cybersecurity risks, but sometimes data archives are more like the proverbial roach motel, where data checks in but it can’t check out.
No doubt that the ease, anonymity and speed of crypto-currency payments such as Bitcoin, has revolutionized the ransomware industry, prompting its extraordinary growth. Bitcoin not only makes it simpler to remain anonymous, but also enables a nameless payment mechanism where the extorted funds can be immediately transferred into criminal hands.
Transactions in crypto-currencies like Bitcoin lack a discernable audit trail and operate outside of regulated financial networks and are alarmingly unregulated. There is no central issuer of Bitcoins, nor a Federal Reserve of Bitcoins monitoring and tracking transactions or controlling their value. In short, government surveillance and regulation of cryptocurrency is virtually nonexistent (no pun intended) and so long as crypto-currency payment schemes exist, ransomware attacks and iterations will likely continue to thrive.
Though too early to tell, there may emerge some form of Bitcoin regulation via Executive Order No. 13,694 (April, 2015), which expands sanctions to include “blocking” the property of persons engaging in “Significant Malicious Cyber-Enabled Activities.” The order declares a “national emergency” to deal with cyber-enabled threats and extends to the assets of those who “have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any [malicious cyber-enabled activities].”
Given that ransomware Bitcoin payments are made to cyber criminals, per Executive Order 13,694, the U.S. Secretary of the Treasury, the U.S. Attorney General and/or the U.S. Secretary of State could freeze or “block” assets of any participant in the Bitcoin financial chain. Such dramatic government intervention could discourage the purveyors of ransomware attacks, who depend upon Bitcoin for receiving payments.
The government could also take additional steps to combat ransomware such as:
Providing financial incentives for private investment in ransomware prevention and remediation technologies;
Speaking more boldly discouraging ransomware payments that monetize crime, perhaps via the Financial Crimes Enforcement Network (FinCen) or via a task force of state and federal law enforcement agencies; or
Creating new legal penalties for ransomware payments in a manner similar to the FCPA, rendering the option of paying ransom costlier, thus nudging firms toward choosing greater security.
But these government measures are theoretical and even if implemented, might still not sojourn the dramatic growth of ransomware. The reality is that when it comes to ransomware attacks, the government seems idle and relatively powerless, which means ransomware victims are unfortunately on their own. So what should companies do to manage the increasing risk of the current ransomware crime wave?
As would probably be preached by Thomas Clayton (or Russell Crowe), companies struggling with ransomware threats should apply the same lessons to ransomware protection that Clayton uses for employee protection: Be prepared (e.g. deploy back-ups and the like); Be thoughtful (e.g. use professionals to implement preemptive measures and help handle the response); and Be vigilant (e.g. never underestimate the impact of ransomware and never take the threat lightly).
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook,” available as an eBook on Amazon, iBooks and other booksellers.
The post Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance appeared first on The D&O Diary.
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance published first on http://ift.tt/2kTPCwo
0 notes
Text
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance
John Stark Reed
Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.
I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
****************************
In the 2000 American thriller film Proof of Life, the title refers to a phrase commonly used to indicate proof that a kidnap victim is still alive. As an expert negotiator in kidnapping cases, Terry Thorne, played by Russell Crowe, is engaged to bargain for a corporate kidnap victim’s safe return.
The film Proof of Life is not just a compelling narrative – its premise and main character also provide some useful insights into managing the emerging threat of ransomware. Ransomware, a special and more nascent type of malware, prevents or limits users from accessing their data, by locking system screens or user files, unless and until a ransom is paid.
Proof of Life’s screenplay was partly inspired by Thomas Hargrove’s book The Long March to Freedom, which recounts how the release of the once-kidnapped Hargrove was negotiated by Thomas Clayton, the founder of his eponymous kidnap-for-ransom consultancy Clayton Consultants (now part of risk management firm, Triple Canopy).
Just like Clayton Consultants, the team advising a ransomware victim company, whether a hospital or global corporate conglomerate, must employ a thoughtful, careful and methodical protocol to survive the ransomware crisis. Like any hostage situation, when a cyber-attacker locks up critical data files, the logistics and legalities of ransomware refusal, acquiescence or capitulation can be both elaborate and complicated.
To make matters worse, seeking law enforcement help for a ransomware attack unfortunately remains a very limited option. First, law enforcement has become inundated with ransomware reports and lacks the resources and wherewithal to assist victims. Second, most of the ransomware attackers are overseas, where merely obtaining an electronic evidence or interviewing a witness, let alone successful extradition and prosecution, are rarely possible. Finally, ransomware demands are often at monetary levels in the hundreds or thousands of dollars – too small to warrant federal law enforcement consideration while clearly outside of the jurisdiction of local law enforcement.
Thus, it should come as no surprise that a significant number of ransomware victims opt to pay the ransom. When padlocked files are business-critical (e.g. an important intellectual property formula); when encryption cannot be defeated (no matter how good the code-breaker) or when time is of the essence (e.g. when patient data is needed for life-saving surgery), paying the ransom can become the proverbial best worst option. Moreover, the typically de minimus ransomware payment demands (on average, about $679) are more akin to a financial nuisance than a material fiscal line-item, so from a cost-benefit perspective, payment can make the most sense.
Under any circumstance, ransomware has quickly become a novel, multifaceted and emerging risk to all corporate enterprises, and like any other material risk, should be addressed and mitigated in a reasonable, lawful, robust and effective manner.
This article provides guidance on the legal issues, logistical considerations and financial implications when managing ransomware threats, including an exposition of the unique issues which can arise when seeking proof of life and opting to meet the monetary demands of ransomware attacker.
What is Ransomware?
Ransomware is a type of malicious software that infects a computer and restricts users’ access to certain data, systems and/or files until a ransom is paid. Ransomware can come in many forms and iterations and like any other virus or infection, ransomware can evolve and transmogrify to counter cyber-defenses and remediation. Although only a fraction of ransomware attacks are actually reported to federal authorities, the U.S. Department of Justice reports over 4,000 ransomware attacks occur daily.
A ransomware victim company’s files are rarely exfiltrated by a ransomware attacker, rather the attacker encrypts the files so a victim company cannot access them. Then the hacker offers to sell the encryption key to the victim, typically payable in an anonymizing online crypto-currency such as Bitcoin. The usual ransomware demand comes with a deadline — after which time, the ransomware attacker threatens that the key will be destroyed or will expire, rendering the kidnapped files forever inaccessible. In many cases the ransom note that hijacks the victim’s screen is accompanied by a digital clock ominously ticking down the minutes and seconds from 72 hours. When the timer expires, the ransom demand usually goes up or even doubles – or the data is permanently locked and henceforth unrecoverable.
Bitcoin and other convertible crypto-currencies have become the keystone to current ransomware schemes, rendering the transactions practically untraceable and well suited for criminal transactions. Unlike the sequence of events during to a common kidnapping scenario, where the exchange of money arguably places criminals in their most vulnerable position, virtual kidnapping of ransomware actually facilitates anonymity throughout the Bitcoin transaction process.
Ransomware Growth
According to a recent study by IBM, spam emails loaded with ransomware increased 6,000 percent in 2016 compared with 2015, comprising almost 40 percent of all spam messages in 2016. Another report, from cybersecurity firm Symantec, cited 460,000 ransomware attempts in 2016, up 36% from 2015, with the average payment demand ballooning from $294 to $1,077, a 266% increase. Ransomware attacks have grown almost exponentially for several reasons:
The ransomware business model works, with the FBI stating that ransomware is on pace to become a one billion dollar source of income for cybercriminals in 2017;
Ransomware start-up costs are cheap. Ransomware software is readily and easily available – and is extraordinarily inexpensive. Ransomware is available for rent; for purchase or even in kits for building. Indeed, 60 percent of the Internet’s top sites sell ransomware; and
Ransomware schemes are typically successful. One recent study found that 70 percent of business victims paid the hackers to get their data back. Of those who paid, 50 percent paid more than $10,000 and 20 percent paid more than $40,000.
Ransomware attacks target the most vulnerable part of a company’s computer networks: people. The primary attack vector for ransomware is an employee who has clicked on a file or a linked he or she should not have clicked. That employee may be:
An accidental insider (e.g. an inattentive employee infiltrated due to inadvertent behaviors or broken business processes);
A compromised insider (e.g. a targeted employee via social engineering and infiltrated due to malware infections or stolen credentials); or
A malicious insider (e.g. a so-called bad leaver or criminal insider who infiltrate via corporate espionage and sabotage).
Ransomware is sometimes embedded in seemingly legitimate downloads such as software updates or resume files. Fake Adobe Flash updates are a notorious Trojan horse for delivering ransomware because Flash is such a ubiquitous add-on to most Internet browsers. Once inside a network, some ransomware can seed itself to additional computers or other devices via SMS messages or a user’s contact list.
What makes ransomware countermeasures challenging is the evolution of ransomware variants. There has been a tremendous increase in ransomware strains – reaching almost epidemic proportions. Indeed, new ransomware strains are now being created to tap into the mobile user base, which can impact both personal and business information, already dramatically expanding the ransomware threat landscape, diversifying and expanding their platforms, capabilities and techniques in order to accrue more targets.
Per recent reports, in the third quarter of 2011, about 60,000 new variants of ransomware were detected. That number doubled to over 200,000 in 2012; quadrupling to over 700,000 variants from 2014, to the first quarter of 2015. In the first quarter of 2016, security firm Kaspersky Lab revealed 2,900 new “modifications” of existing ransomware, a 14% increase from the last quarter, and a 30% increase from the previous quarter.
As the Internet of Things begins to establish a foothold in daily life, ransomware growth seems poised to become more severe and more widespread. Market forecaster Gartner expects 6.4 billion connected devices will surround us in the home and workplace this year, a $30 billion market by the year 2020. This growing network of Internet-connected household devices, from Samsung refrigerators to Nest thermostats, will undoubtedly render individuals and corporations increasingly vulnerable to ransomware attacks.
Recent Ransomware Attacks
While ransomware has beleaguered victim companies for much of the last decade, a recent global spate of ransomware attacks has prompted intense media coverage and worldwide apprehension and concern.
For instance, in April 2017, a ransomware group known as Shadow Brokers coopted a ransomware exploit (nicknamed Eternal Blue) from the U.S. National Security Agency, and took advantage of a Windows vulnerability, targeting a wave of hospitals. The ransomware extortion demands impacted more than just corporate operations and secrets; suddenly, a cyber-attack impacted the lives of sick hospital patients, prompting an almost international hysteria.
The vulnerability, patchable for new Microsoft systems but not necessarily for older systems upon which many hospitals were running, was dubbed “WannaCry” or “WannaCrypt” ransomware, and according to Europol, claimed over 200,000 victims in over 150 countries.
Similarly, in late June 2017, another strain of ransomware hit at least six countries, including and primarily Ukraine, where it was blamed for a large and coordinated attack on key parts of the nation’s infrastructure, from government agencies and electric grids to stores and banks. According to Microsoft, this outbreak, referred to as NotPetya – aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya and Diskcoder.C – resulted in “a less widespread attack” than WannaCry, aka WannaCrypt.
As a result of NotPetya ransomware, A.T.M.’s in the Ukraine apparently stopped working; workers were forced to manually monitor radiation at the old Chernobyl nuclear plant when their computers failed; and data security personnel at companies around the world — from Maersk, the Danish shipping conglomerate, to Merck, the drug giant in the United States — were reportedly scrambling to respond. Even an Australian factory for the chocolate giant Cadbury was affected.
Though more sophisticated than WannaCry and employing the same Eternal Blue server message block exploit, NotPetya’s global impact was reportedly blunted by its own limited attack capabilities (e.g. by a default setting, the infected system reboots after 60 minutes, and the malware does not persist after the reboot). “This means that the threat can only do lateral movement and exploitation of other machines during this limited time,” Microsoft says. “This reduced the reach of the attack.”
Law Enforcement and Ransomware: The Official View
The official line from federal law enforcement with respect to Ransomware is: Report the Incident and Don’t Pay. Specifically, the FBI warns:
“The FBI doesn’t support paying a ransom in response to a ransomware attack . . . Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. [B]y paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The FBI also warns that paying ransomware does not guarantee that a victim company will obtain from the attacker a working key to rescue their data. The FBI is aware of cases where either the attackers fail to hand over the correct decryption key or are unwilling to comply with the original ransomware demands after payment is received. According to Trend Micro research, nearly 33 percent of firms that pay the ransom when attacked by ransomware fail to get their data back. The FBI also urges ransomware victims to report ransomware attacks immediately and seek help from the FBI in handling the situation.
Along similar lines, during an emergency meeting to address the WannaCry ransomware attacks, Tom Bossert, Homeland Security Advisor to President Donald Trump, discussed the perils of ransomware payment, and warned that victims could still lose access to files even after making a payment:
“Well, the U.S. government doesn’t make a recommendation on paying ransom, but I would provide a strong caution. You’re dealing with people who are obviously not scrupulous, so making a payment does not mean you are going to get your data back.”
Law Enforcement and Ransomware: The Unofficial View
In some public settings, the FBI has warned that, without paying a ransom, victim companies may not be able to unlock their kidnapped data from ransomware attackers who use Cryptolocker, Cryptowall and other potent malware strains.
“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people to just pay the ransom . . . The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”
Indeed, the Ponemon Institute reported in a 2016 study that 48% of businesses victimized by ransomware paid the ransom (average ransomware payment being $2,500), while a similar IBM Security study found that 70 percent of business victims paid the ransom during that same period.
Even some law enforcement officials themselves have decided to cut their losses by paying off the purveyors of ransomware. For instance, in the Massachusetts townships of Tewksbury and Swansea, ransomware attackers made off with $500 and $750 bounties, respectively. Elsewhere, police departments in the Chicago suburbs of Midlothian and Dickson County, Tenn., also paid ransom amounts to ransomware attackers. That even law enforcement officials have opted to cut their losses by succumbing to, and paying off, ransomware attackers demonstrates how oddly commonplace ransomware payments have become.
Counsel as Quarterback for Ransomware Response
Ransomware is a crime, has significant regulatory implications and can involve important legal responsibilities and liabilities. At a minimum, ransomware schemes run afoul of the federal computer crime statute, 18 U.S.C. § 1030, and particularly subsection (a)(7), which forbids hacking intended to extort something of value from the victim.
Above all else, the legal ramifications of any ransomware incident or failure can be calamitous for any public or private company. Even the most traditional realms of IT dominion such as exfiltration analysis, malware reverse engineering, digital forensics, logging review and most technological remediation measures are rife with legal and compliance issues and a myriad of potential conflicts.
For instance, after a cybersecurity incident such as a ransomware attack, law enforcement, regulators, vendors, partners, insurers, customers and others may:
Request forensic images of impacted systems;
Demand copies of indicators of compromise;
Mandate that their own auditors or examiners visit sites of infiltration and conduct their own audit and investigation;
Want to participate in remediation planning;
Seek interviews and interactions with IT personnel;
Require briefings from a victim company’s forensic experts and data security engineers; or
Ask to attach a recording appliance to a victim company’s network in hope of capturing traces of attacker activity, should an attacker return.
These requests raise a host of legal issues, including how exactly to respond to each request and whether any response would violate the privacy of customers; be at odds with commercial agreements; result in a waiver of the attorney-client or work product privileges; or have any other legal/compliance consequences.
Because so many incident response issues are critical to the very survival of a company, who else but the GC can oversee and direct investigative workflow, commanding the investigation and remediation for the C-suite, sharing with senior management the ultimate responsibility for key decisions, while having the responsibility and duty of reporting to the company’s board.
Ransomware and the Attorney-Client Privilege
Attorney involvement, awareness, leadership, and direction are not the only essentials for managing the quagmire of legal issues arising during a ransomware response. GC involvement also triggers the protections afforded by the attorney-client and work product privileges, a critical component in the response to data security incidents.
The involvement and direction of counsel in the context of any investigation will presumably apply to the work product produced not only directly by the legal team members but also by the outside advisors, including the digital forensic investigators engaged by internal or outside counsel.
This is standard practice in the context of any other type of investigation – a cyber incident is no different. There is nothing nefarious or extraordinary about this approach, it is a time-honored and tested standard operating procedure. The involvement of counsel establishes a single point of coordination and a designated information collection point.
Counsel as quarterback of ransomware response also enhances visibility into the facts, improves the ability to pursue appropriate leads and, most importantly, ensures the accuracy and completeness of information before it is communicated to external audiences. Otherwise, incomplete and/or inaccurate information could be released, only to have to later be corrected or even retracted.
Ransomware Notification Requirements
Although typically involving locking up data (rather than accessing, targeting or exfiltrating data), a ransomware attack could still be deemed the type of data security incident which triggers a legal notification requirement, including notice to:
State regulators (per state privacy statutes, rules and regulations);
Shareholders (per SEC disclosure obligations);
Vendors, partners and other entities (Many companies now incorporate rigorous cybersecurity notification requirements into their contracts, which can trigger when a victim company experiences a ransomware attack.);
Insurance carriers (especially if a victim company plans to make an insurance claim, relating to the ransomware attack);
Customers (when the data of a customer, such as a hospital patient, is impacted by a ransomware attack, a victim company may have very specific legal obligations to notify that customer); and
Any other constituency who may have a vested interest in a victim-company.
With respect to state regulatory notifications there is some grey area worthy of mention. In the United States, 52 jurisdictions (including 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) have enacted some version of a data breach notification law. Under these laws, notification may be required for any customer whose personally identifiable information (PII) was acquired or accessed, or reasonably likely to have been acquired or accessed. While most states require some form of notice to their residents of a data breach, depending on applicable legal standards, some states also require notification to public agencies, such as the state attorney general.
The threshold issue is a technological one – probably best determined by a digital forensics expert and couched in legal terms. For instance, if the data is encrypted or otherwise “locked” through an automated process, companies could argue that the data was never accessed by an unauthorized party, which is the standard that typically triggers state breach notification laws.
On the other hand, though the mere encryption of data may not trigger the notification rules, the viewing, copying, relocating and altering of information can. Digital forensics and malware reverse engineering can provide some clue with respect to the impact of a ransomware attack and help assess some of the lesser state thresholds (such as in states like Connecticut, Florida, Kansas, Louisiana and New Jersey) where the definition of a breach also includes accessing of protected health information.
With respect to some of the more onerous and specific federal notification rules, such as under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), digital forensics analysis can also provide critical information relating to disclosure requirements. For instance, HHS rules generally state that hospitals need only report attacks that result in the exposure of private medical or financial information, such as malware that steals data. Whether ransomware’s data encryption crosses that legal threshold can be challenging to determine, which is why ransomware attacks and other data security incidents at health care organizations often go unreported.
In addition, under the new EU General Data Protection Regulation, effective May 25, 2018, there is a requirement to notify the supervisory authorities without undue delay (no later than 72 hours) after becoming aware of a data breach, unless it is unlikely to cause a risk to the affected individuals. The fines for violating this regulation are significant—up to 4% of global annual turnover or €20 million (whichever is the higher), so any late notification will need to be justified.
Ransomware Investigative Tactics
While determining the bona fides of a ransomware strain is always challenging, an experienced digital forensic examiner can find some answers by searching for some of the more typical cyber-indicators. Ransomware malware is characteristically a type of tool, which is not only known to most professionals, but may even be readily available for purchase online. If the name and modus operandi of the ransomware is new or otherwise unknown, rather than a victim firm being “patient zero,” the ransomware may turn out to be bogus.
Digital forensic experts can also research the Bitcoin payment address; the malware message; any relevant phishing emails; and any other of the ransomware’s characteristics in data security research forums and internal archives, to analyze recent commentary about the ransomware and test its efficacy and validity.
There are also a range of digital forensics tests to initiate upon an infected file to assess a ransomware strain’s actual efficacy. For instance, one simple test is to return the file name to its original form. Real ransomware changes the file extension of encrypted files. The Ransomware files may not be encrypted but just renamed to provide the illusion of encryption to cajole a ransom payment. A digital forensics expert can also investigate the severity of the attack; reverse-engineer the malware that has taken control of victim data; and attempt a full-fledged data recovery.
Ransomware Payment
In cases where a particular ransomware attack cannot be fully mitigated, an experienced digital forensics firm can broker and validate a solution that minimizes the cost of recovery and prevents further extortion from the attacker.
Paying off the ransomware attackers typically entails: 1) sending the secret ransomware key file now stored on the victim’s computer; 2) uploading that file (or data string) to the attackers together with a Bitcoin payment; and 3) awaiting a decryption key or a tool a victim can use to undo the encryption on the victim company files. This is a complex and challenging process.
First off, a digital forensics firm can help a ransomware victim navigate the maze of setting up an account to handle Bitcoin, getting it funded, and figuring out how to pay other people with it. A digital forensics examiner may even be able to construct a payment scheme where rendering ransomware payments is conditional. By using cryptocurrency features to ensure that ransomware attackers cannot receive their payment unless they deliver a key, there can exist some added level of security and reliability upon the transaction. One ransomware response expert, notes:
“ . . A ransomware developer could easily perform payment via a smart contract script (in a system like Ethereum) that guarantees the following property. This payment will be delivered to the ransomware operator if and only if the ransomware author unlocks it — by posting the ransomware decryption key to the same blockchain.”
Ransomware attackers may portray the entire ransomware payment process as more akin to an ordinary business transaction than an international extortion scheme. In fact, some recent ransomware attackers purportedly even offer a victim company a discount if the victim company transmits the infection to other companies, just like referral programs of Uber or Lyft.
However, while a ransomware payment process may seem straightforward and rudimentary, the reality is far more complicated and rife with challenges. No ransomware payment process can guarantee that the ransomware attacker will provide a decryption key. The ransomware scheme may be nothing more than a social engineering ruse, more like an old fashioned Nigerian Internet scam than a malware infection – and the payment could end up being all for naught.
Indeed, ransomware attackers may no longer have the encryption key or may just opt to take a ransom payment, infect a company’s system, and flee the crime scene entirely. Not only is the system of paying in untraceable Bitcoin risky, but the transaction in its entirety is so risky, it hardly seems palatable. Nonetheless, the number of victim companies that pay ransomware demands continues to grow at an alarming rate.
The Legalities of Ransomware Payment
Though the FBI has hinted at the possible illegality of paying a ransomware demand, the FBI has never specifically stated that the payer could actually be charged with a crime. It would seem rather obvious that with respect to any criminal statute, actions taken under duress do not ordinarily constitute a crime. Moreover, the ransomware attacker possesses the criminal intent, not the victim who agrees to pay. However, there is little specific legal authority on the subject of payment and negotiation with ransomware attackers, so the legalities of payment are worthy of some analysis.
In general, legal commentary and case law regarding ransom payments is limited. However, in a germane 2011 British case, Masefield AG v Amlin Corporate Member Ltd (The Bunga Melati Dua), relating to maritime piracy and ransom demands for safe return of the vessel and crew, the court faced a somewhat analogous scenario. Specifically, the British Court of Appeal held that there was no general public policy argument against paying ransoms, stating that:
“…there is no universal morality against the payment of ransom, the act not of the aggressor but of the victim of piratical threats, performed in order to save property and the liberty or life of hostages. There is no evidence before the court of such payments being illegal anywhere in the world. This is despite the realization that the payment of ransom, whatever it might achieve in terms of the rescue of hostages and property, itself encourages the incidence of piracy for the purposes of exacting more ransoms. (Perhaps it should be said that the pirates are not classified as terrorists. It may be that the position with regard to terrorists is different).”
Though addressing hostage ransoms, and not ransomware, former President Barak Obama provided a similar message in his Statement by the President on the U.S. Government’s Hostage Policy Review (June 24, 2015):
“I firmly believe that the United States government paying ransom to terrorists’ risks endangering more Americans and funding the very terrorism that we’re trying to stop. And so I firmly believe that our policy ultimately puts fewer Americans at risk. At the same time, we are clarifying that our policy does not prevent communication with hostage-takers — by our government, the families of hostages, or third parties who help these families . . . In particular, I want to point out that no family of an American hostage has ever been prosecuted for paying a ransom for the return of their loved ones. The last thing that we should ever do is to add to a family’s pain with threats like that.”
Ransomware and the FCPA
The Foreign Corrupt Practices Act of 1977 (FCPA) prohibits payments to foreign government officials to assist in obtaining or retaining business or directing business to any person. Laws such as the FCPA reflect an alternative approach to deterring bribes, by penalizing those on the payment side of the transaction.
Specifically, the FCPA prohibits giving something of value for the purpose of: “(i) influencing any act or decision of [a] foreign official in his official capacity, (ii) inducing such foreign official to do or omit any act in violation of the lawful duty of such official, or (iii) securing any improper advantage … to obtain or retain business for or with … any person.” The law provides an affirmative defense for payments that are “lawful under the written laws and regulations” of the country.
Given the FCPA threshold requirement that a payment must be made to assist in obtaining or retaining business for the individual or company or directing that business to another person, a ransomware scenario does not appear to trigger the FCPA.
However, FCPA’s enforcement can provide a useful analogy when considering the legalities of paying a ransomware demand. U.S. companies often face extortionate demands from foreign police, bureaucrats, and regulators, who threaten to hold, expel, or even harm employees if ransoms are not paid. And there have always been questions whether those involuntary payments can violate the FCPA. The DOJ-SEC Guidance on FCPA addresses this issue, stating:
“Does the FCPA Apply to Cases of Extortion or Duress? Situations involving extortion or duress will not give rise to FCPA liability because a payment made in response to true extortionate demands under imminent threat of physical harm cannot be said to have been made with corrupt intent or for the purpose of obtaining or retaining business.”
This notion, that under FCPA an individual is not guilty of a criminal offense when forced to do so by duress or extortion, is confirmed in United States v. Kozeny, 582 F.Supp.2d 535, 540 (S.D.N.Y. 2008). Specifically, in the Kozeny decision, the United States District Court for the Southern District of New York ruled that extortion or duress under the threat of imminent physical harm would excuses the conduct (essentially negating a corrupt intent), stating:
“ . . . while the FCPA would apply to a situation in which a “payment [is] demanded on the part of a government official as a price for gaining entry into a market or to obtain a contract,” it would not apply to one in which payment is made to an official “to keep an oil rig from being dynamited,” an example of “true extortion.” The reason is that in the former situation, the bribe payer cannot argue that he lacked the intent to bribe the official because he made the “conscious decision” to pay the official. In other words, in the first example, the payer could have turned his back and walked away—in the latter example, he could not.”
Whether the “economic duress” of a typical ransomware attack would rise to the level of “true extortion” as described in the Kozeny decision remains untested, and might be viewed as insufficient to excuse conduct from sanctions under the FCPA.
The FCPA could also potentially apply in ransomware scenarios where the cyber-criminal has a known connection to a foreign government. While the concealed identity of cyber-criminals involved in ransomware attacks likely prevents a payer from knowing that a payment violates the FCPA, the issue could still arise when a digital forensic expert identifies a ransomware attacker’s modus operandi to be that of a state sponsored organization (e.g. from Russia, North Korea or Iran).
Foreign Sanctions and Ransomware
Like the FCPA, international sanctions regimes are also designed to prevent payments to certain designated payees, institutions, and countries who are enemies of the U.S, such as terrorists and terrorist organizations. In the United States, the Treasury’s Office of Foreign Asset Controls (OFAC) supervises these programs, such as the Trading with the Enemy Act and the International Emergency Economic Powers Act (IEEPA).
Under these Acts, ransom payments (whether directly or indirectly through an intermediary) to Foreign Terrorist Organizations (FTOs) or Specially Designated Global Terrorists (SDGTs) identified by OFAC, are illegal under U.S. law. Monetary contributions to FTOs are considered material support under 18 U.S.C. 2339B, while transfers to SDGTs are violations of economic sanctions imposed pursuant to the IEEPA.
For example, in a February 2017 cyber-attack against the British National Health System, the attackers appeared to be ISIS and in particular, the Tunisian Falange Team, which posted graphics and pictures decrying at the war in Syria. Whether a similar attack against a U.S. hospital, with a similar evidentiary trail indicating terrorist attribution, would trigger the limitations imposed OFAC is unclear and untested. However, any digital forensic findings of a ransomware attack indicating terrorist attribution or involvement is certainly worthy of consideration when contemplating a ransomware payment.
Ransomware and Conspiracy
Whether a payer of a ransomware demand can be held to have entered into a conspiracy with the ransomware attacker seems unlikely and contrary to the public interest. A conspiracy is an agreement with another that a criminal course of conduct is to be pursued. Ransomware payments do not appear to be the kind of agreements contemplated by conspiracy statutes, but instead are forced arrangements dictated by a ransomware attacker.
However, other profiting and culpable participants in the Bitcoin payment scheme to pay a ransomware attacker might find themselves facing criminal penalties. Anthony Murgio, who recently pled guilty to operating as a money transmitter without a license in 2015, was also charged with violating Title 18 U.S.C., Section 1030(a)(7) and sentenced to 5 ½ years in prison. Federal prosecutors alleged that Murgio and his co-conspirators benefitted from transactions providing victims with Bitcoin to pay off ransomware demands. The Murgio indictment states:
“As part of the unlawful Coin.mx scheme, Anthony P. Murgio, the defendant, and his co-conspirators knowingly processed and profited from numerous Bitcoin transactions conducted on behalf of victims of ransomware schemes…By knowingly permitting ransomware victims to exchange currency for Bitcoins through Coin.mx, Murgio and his co-conspirators facilitated the transfer of ransom proceeds to the malware operators while generating revenue for Coin.mx.”
Unlike a ransomware payer, Murgio was a part of the payment process and clearly facilitated the ransomware transactions with unclean hands – possessing the kind of felonious intent required for money laundering criminal liability. Crypto-currency sellers or exchange operators may be caught up in legal trouble if: they have avoided or neglected reporting requirements or have not registered as a money transmission business (like Murgio), or, if they were criminally complicit with the ransomware attackers.
The distinction seems clear: if a Bitcoin seller actively aided and abetted a ransomware attacker, knowingly profiting from the scheme, the Bitcoin seller could be criminally liable. However, if a digital forensics firm made Bitcoin available to a client and provided technical advice as to how to pay in Bitcoin, then, like Thomas Clayton in Proof of Life, criminal liability seems wholly inappropriate.
Ransomware: To Pay or Not To Pay
For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, does not appear to break any laws – and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination — almost like a cost-benefit analysis.
The arguments for rendering a ransomware payment include:
Payment is the least costly option;
Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up);
Payment can avoid being fined for losing important data;
Payment means not losing highly confidential information; and
Payment may mean not going public with the data breach.
The arguments against rendering a ransomware payment include:
Payment does not guarantee that the right encryption keys with the proper decryption algorithms will be provided;
Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime;
Payment can do damage to a corporate brand;
Payment may not stop the ransomware attacker from returning;
If victims stopped making ransomware payments, the ransomware revenue stream would stop and ransomware attackers would have to move on to perpetrating another scheme; and
Using Bitcoin to pay a ransomware attacker can put organizations at risk. Most victims must buy Bitcoin on entirely unregulated and free-wheeling exchanges that can also be hacked, leaving buyers’ bank account information stored on these exchanges vulnerable.
Ransomware Remediation
There are a slew of basic steps companies should take as preemptive measures to avoid falling prey to ransomware, including backing up systems and employing the latest cybersecurity measures. Other measures include:
Updating operating systems, software patching, antivirus programs and firewalls;
Taking steps to detect and block ransomware through firewalls and intrusion detection monitoring, including setting alerts for anomalous behavior;
Revisiting backup protocols to ensure that a crypto-attack is classified as a potential disaster with appropriate contingency plans;
Enabling popup blockers;
Employing IT professionals or consultants familiar with ransomware, who stays current with evolving iterations and variants; and
Implementing a strong password policy requiring all users to regularly change passwords and require more complex passwords, i.e. mixture of lower and uppercase letters, numbers, and symbols;
Reviewing and auditing all network permissions in your network while updating and deactivating all user accounts regularly, including departing employees;
Rigorous employee education and outreach;
Securing long and short-term backups, stored in a manner detached from a company’s network;
Intense screening of partners and vendors to ensure strong security procedures from associated third parties;
Thoughtfully and securely segmenting sensitive user and corporate data within a corporate network; and
Changing network and Wi-Fi passwords regularly.
Along the same lines, the FBI urges organizations to be vigilant keeping browsers, operating systems and third-party application patch levels up to date, and that antivirus protection is also current. The FBI also suggests companies back up often, lock down access granted to individuals and manage configuration of file systems, directories and network shares appropriately.
By setting snares and “honeypots” for would-be ransomware attackers, companies can go so far as to employ drastic and direct preemptive measures. For example, Deception Technology sets its trademarked HackTraps to misdirect ransomware attackers and prevent them from going deeper into a corporate network and reaching their intended target. These traps can be as simple as a document with a deceiving title that was created exclusively to lure in the cybercriminals.
A digital forensic expert can also help a victim company develop and implement a containment plan to isolate any additional infections and provide strategic recommendations to prevent further ransomware attacks and otherwise mitigate their impact.
It may be hard to believe, but when handled correctly, a customer data compromise or data security incident like a ransomware attack can actually become the kind of successful failure that not only prompts remediation that strengthens technological infrastructure, but also reinforces a firm’s commitment and focus upon its customers, partners and other fiduciaries.
Ransomware and Business Continuity Plans
The critical importance of a business continuity plan in the event of a natural disaster is widely recognized and accepted. Yet, too often, such plans are not evaluated in the context of assessing cybersecurity risks such as ransomware.
Even when an organization’s IT cybersecurity response fully aligns to IT best practices, there are benefits in utilizing or integrating IT’s response into the existing business continuity structure, rather than having two separate response models. Speed and agility are key enablers in ransomware response, and business continuity enables nimble, rapid response limiting financial and reputational impact on the enterprise.
A powerful business continuity plan, which is properly integrated with an incident response plan, contemplates the threat of ransomware and plans for data recovery, such as with specialized back-up data systems that are routinely tested and updated as necessary.
Ransomware and Cyber Insurance
Like any other corporate risk, companies are beginning to realize that the financial, operational and even reputational risks of a ransomware attack can be addressed via a comprehensive and targeted cyber insurance policy. Over 60 insurance companies now offer cyber insurance, many containing specific provisions addressing ransomware. In 2015, ransomware accounted for just over 10% of cyber insurance claims, but in 2016 that figure grew to 25%.
Currently, most cyber insurance policies are modular, which means an organization chooses from a menu of coverage options, such as business interruption, third party liability for privacy breaches and first party coverage for an organization’s own costs to detect, stop, investigate and remediate a network security incident.
Ransomware typically falls under “first party” liabilities as cyber extortion and network interruption. When making a cyber insurance claim for ransomware, a victim company should be prepared to demonstrate that: the ransom has been surrendered under duress; the incident is not a hoax; there was c-suite participation in the ransomware payment decision; the insurance company approved of the ransomware payment plan; and the ransomware attack was reported to law enforcement.
Making an insurance reimbursement claim for a Bitcoin payment is also tricky, even with respect to valuation and execution. Challenges include proving to an insurance company: that a Bitcoin payment was made; that a Bitcoin payment was for a particular amount of U.S. dollars; and that a Bitcoin transaction was documented in an acceptable and verifiable manner.
Thus, a ransomware victim company may have to engage a professional intermediary to pay the attackers, and then seek reimbursement for the fees paid to the digital intermediary. Otherwise, an insurer might have no way to audit a process involving Bitcoin and therefore refuse to recompense Bitcoin payments. Cyber insurance might also not cover the full amount of the ransomware or may have in place a high deductible amount (for large organizations the deductible could be $500,000 or as high as $5 million).
Without a specific ransomware cyber insurance policy, a victim company would have to look to the breadth of their professional liability and other insurance policies, which can give rise to ambiguities and disputes. For example, the presence of any sort of terrorism exclusion can become problematic. For instance, insurance policies may have “acts of foreign enemies” or “government acts” exclusions that can limit reimbursement if the ransomware was distributed by cyber-attackers tied to a foreign government;
In addition, whether a ransomware victim company must show “physical damage” can also become an issue. In the typical ransomware scenario, a victim company’s data is not actually damaged but is rather, “locked.” An insurance company may argue that like other cyber-attacks, where a victim’s data was accessed, but not otherwise disturbed, altered or exfiltrated, then the victim has no insurance claim; and
Some companies who do not have cyber insurance, may turn to their kidnap insurance for coverage relating to ransomware attacks. Kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas of danger, such as where violence related to oil and mining operations is common (like parts of Africa and Latin America).
K&R policies, which typically do not have deductibles, can cover the ransom payments as well as crisis response services, including getting in touch with criminal and regulatory authorities. Whether K&R coverage, which was not designed for ransomware, will cover ransomware costs and expenses will always be a matter of the specific policies involved.
To get the most out of cyber coverage for ransomware attacks, companies should work closely with their brokers, their insurers, their outside counsel and their own internal experts and executives to fully understand their particular ransomware risks. For now, the most effective cyber insurance policies are bespoke, and given the rapidly evolving nature of cyber-attacks, will continue to require custom-tailored fitting for quite some time.
Just like other kinds of insurance, ransomware coverage by itself will rarely be enough to make a company whole after a cyber-attack, but it can provide critical financial resources. Moreover, when coupled with a thoughtful and diligent incident response, a sound ransomware insurance policy can send a powerful message of strong business acumen; fierce customer dedication; and steadfast corporate governance, demonstrating profound expertise to the marketplace, shareholders, regulators and the many other interested corporate stakeholders.
Final Thoughts
When confronted with a ransomware attack, the options all seem bleak. Pay the hackers – and the victim may not only prompt future attacks, but there is also no guarantee that the hackers will restore a victim’s dataset. Ignore the hackers – and the victim may incur significant financial damage or even find themselves out of business. The only guarantees during a ransomware attack are the fear, uncertainty and dread inevitably experienced by the victim.
Even under the best-case scenario, where a victim has maintained archives and can keep their business alive, the victim companies will incur significant remedial costs, business disruptions and exhaustive management drag. Moreover, having a back-up storage solution in place is not always ideal; not only can outside storage of data create additional cybersecurity risks, but sometimes data archives are more like the proverbial roach motel, where data checks in but it can’t check out.
No doubt that the ease, anonymity and speed of crypto-currency payments such as Bitcoin, has revolutionized the ransomware industry, prompting its extraordinary growth. Bitcoin not only makes it simpler to remain anonymous, but also enables a nameless payment mechanism where the extorted funds can be immediately transferred into criminal hands.
Transactions in crypto-currencies like Bitcoin lack a discernable audit trail and operate outside of regulated financial networks and are alarmingly unregulated. There is no central issuer of Bitcoins, nor a Federal Reserve of Bitcoins monitoring and tracking transactions or controlling their value. In short, government surveillance and regulation of cryptocurrency is virtually nonexistent (no pun intended) and so long as crypto-currency payment schemes exist, ransomware attacks and iterations will likely continue to thrive.
Though too early to tell, there may emerge some form of Bitcoin regulation via Executive Order No. 13,694 (April, 2015), which expands sanctions to include “blocking” the property of persons engaging in “Significant Malicious Cyber-Enabled Activities.” The order declares a “national emergency” to deal with cyber-enabled threats and extends to the assets of those who “have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any [malicious cyber-enabled activities].”
Given that ransomware Bitcoin payments are made to cyber criminals, per Executive Order 13,694, the U.S. Secretary of the Treasury, the U.S. Attorney General and/or the U.S. Secretary of State could freeze or “block” assets of any participant in the Bitcoin financial chain. Such dramatic government intervention could discourage the purveyors of ransomware attacks, who depend upon Bitcoin for receiving payments.
The government could also take additional steps to combat ransomware such as:
Providing financial incentives for private investment in ransomware prevention and remediation technologies;
Speaking more boldly discouraging ransomware payments that monetize crime, perhaps via the Financial Crimes Enforcement Network (FinCen) or via a task force of state and federal law enforcement agencies; or
Creating new legal penalties for ransomware payments in a manner similar to the FCPA, rendering the option of paying ransom costlier, thus nudging firms toward choosing greater security.
But these government measures are theoretical and even if implemented, might still not sojourn the dramatic growth of ransomware. The reality is that when it comes to ransomware attacks, the government seems idle and relatively powerless, which means ransomware victims are unfortunately on their own. So what should companies do to manage the increasing risk of the current ransomware crime wave?
As would probably be preached by Thomas Clayton (or Russell Crowe), companies struggling with ransomware threats should apply the same lessons to ransomware protection that Clayton uses for employee protection: Be prepared (e.g. deploy back-ups and the like); Be thoughtful (e.g. use professionals to implement preemptive measures and help handle the response); and Be vigilant (e.g. never underestimate the impact of ransomware and never take the threat lightly).
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook,” available as an eBook on Amazon, iBooks and other booksellers.
The post Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance appeared first on The D&O Diary.
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance published first on
0 notes
Text
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance
John Stark Reed
Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.
I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
****************************
In the 2000 American thriller film Proof of Life, the title refers to a phrase commonly used to indicate proof that a kidnap victim is still alive. As an expert negotiator in kidnapping cases, Terry Thorne, played by Russell Crowe, is engaged to bargain for a corporate kidnap victim’s safe return.
The film Proof of Life is not just a compelling narrative – its premise and main character also provide some useful insights into managing the emerging threat of ransomware. Ransomware, a special and more nascent type of malware, prevents or limits users from accessing their data, by locking system screens or user files, unless and until a ransom is paid.
Proof of Life’s screenplay was partly inspired by Thomas Hargrove’s book The Long March to Freedom, which recounts how the release of the once-kidnapped Hargrove was negotiated by Thomas Clayton, the founder of his eponymous kidnap-for-ransom consultancy Clayton Consultants (now part of risk management firm, Triple Canopy).
Just like Clayton Consultants, the team advising a ransomware victim company, whether a hospital or global corporate conglomerate, must employ a thoughtful, careful and methodical protocol to survive the ransomware crisis. Like any hostage situation, when a cyber-attacker locks up critical data files, the logistics and legalities of ransomware refusal, acquiescence or capitulation can be both elaborate and complicated.
To make matters worse, seeking law enforcement help for a ransomware attack unfortunately remains a very limited option. First, law enforcement has become inundated with ransomware reports and lacks the resources and wherewithal to assist victims. Second, most of the ransomware attackers are overseas, where merely obtaining an electronic evidence or interviewing a witness, let alone successful extradition and prosecution, are rarely possible. Finally, ransomware demands are often at monetary levels in the hundreds or thousands of dollars – too small to warrant federal law enforcement consideration while clearly outside of the jurisdiction of local law enforcement.
Thus, it should come as no surprise that a significant number of ransomware victims opt to pay the ransom. When padlocked files are business-critical (e.g. an important intellectual property formula); when encryption cannot be defeated (no matter how good the code-breaker) or when time is of the essence (e.g. when patient data is needed for life-saving surgery), paying the ransom can become the proverbial best worst option. Moreover, the typically de minimus ransomware payment demands (on average, about $679) are more akin to a financial nuisance than a material fiscal line-item, so from a cost-benefit perspective, payment can make the most sense.
Under any circumstance, ransomware has quickly become a novel, multifaceted and emerging risk to all corporate enterprises, and like any other material risk, should be addressed and mitigated in a reasonable, lawful, robust and effective manner.
This article provides guidance on the legal issues, logistical considerations and financial implications when managing ransomware threats, including an exposition of the unique issues which can arise when seeking proof of life and opting to meet the monetary demands of ransomware attacker.
What is Ransomware?
Ransomware is a type of malicious software that infects a computer and restricts users’ access to certain data, systems and/or files until a ransom is paid. Ransomware can come in many forms and iterations and like any other virus or infection, ransomware can evolve and transmogrify to counter cyber-defenses and remediation. Although only a fraction of ransomware attacks are actually reported to federal authorities, the U.S. Department of Justice reports over 4,000 ransomware attacks occur daily.
A ransomware victim company’s files are rarely exfiltrated by a ransomware attacker, rather the attacker encrypts the files so a victim company cannot access them. Then the hacker offers to sell the encryption key to the victim, typically payable in an anonymizing online crypto-currency such as Bitcoin. The usual ransomware demand comes with a deadline — after which time, the ransomware attacker threatens that the key will be destroyed or will expire, rendering the kidnapped files forever inaccessible. In many cases the ransom note that hijacks the victim’s screen is accompanied by a digital clock ominously ticking down the minutes and seconds from 72 hours. When the timer expires, the ransom demand usually goes up or even doubles – or the data is permanently locked and henceforth unrecoverable.
Bitcoin and other convertible crypto-currencies have become the keystone to current ransomware schemes, rendering the transactions practically untraceable and well suited for criminal transactions. Unlike the sequence of events during to a common kidnapping scenario, where the exchange of money arguably places criminals in their most vulnerable position, virtual kidnapping of ransomware actually facilitates anonymity throughout the Bitcoin transaction process.
Ransomware Growth
According to a recent study by IBM, spam emails loaded with ransomware increased 6,000 percent in 2016 compared with 2015, comprising almost 40 percent of all spam messages in 2016. Another report, from cybersecurity firm Symantec, cited 460,000 ransomware attempts in 2016, up 36% from 2015, with the average payment demand ballooning from $294 to $1,077, a 266% increase. Ransomware attacks have grown almost exponentially for several reasons:
The ransomware business model works, with the FBI stating that ransomware is on pace to become a one billion dollar source of income for cybercriminals in 2017;
Ransomware start-up costs are cheap. Ransomware software is readily and easily available – and is extraordinarily inexpensive. Ransomware is available for rent; for purchase or even in kits for building. Indeed, 60 percent of the Internet’s top sites sell ransomware; and
Ransomware schemes are typically successful. One recent study found that 70 percent of business victims paid the hackers to get their data back. Of those who paid, 50 percent paid more than $10,000 and 20 percent paid more than $40,000.
Ransomware attacks target the most vulnerable part of a company’s computer networks: people. The primary attack vector for ransomware is an employee who has clicked on a file or a linked he or she should not have clicked. That employee may be:
An accidental insider (e.g. an inattentive employee infiltrated due to inadvertent behaviors or broken business processes);
A compromised insider (e.g. a targeted employee via social engineering and infiltrated due to malware infections or stolen credentials); or
A malicious insider (e.g. a so-called bad leaver or criminal insider who infiltrate via corporate espionage and sabotage).
Ransomware is sometimes embedded in seemingly legitimate downloads such as software updates or resume files. Fake Adobe Flash updates are a notorious Trojan horse for delivering ransomware because Flash is such a ubiquitous add-on to most Internet browsers. Once inside a network, some ransomware can seed itself to additional computers or other devices via SMS messages or a user’s contact list.
What makes ransomware countermeasures challenging is the evolution of ransomware variants. There has been a tremendous increase in ransomware strains – reaching almost epidemic proportions. Indeed, new ransomware strains are now being created to tap into the mobile user base, which can impact both personal and business information, already dramatically expanding the ransomware threat landscape, diversifying and expanding their platforms, capabilities and techniques in order to accrue more targets.
Per recent reports, in the third quarter of 2011, about 60,000 new variants of ransomware were detected. That number doubled to over 200,000 in 2012; quadrupling to over 700,000 variants from 2014, to the first quarter of 2015. In the first quarter of 2016, security firm Kaspersky Lab revealed 2,900 new “modifications” of existing ransomware, a 14% increase from the last quarter, and a 30% increase from the previous quarter.
As the Internet of Things begins to establish a foothold in daily life, ransomware growth seems poised to become more severe and more widespread. Market forecaster Gartner expects 6.4 billion connected devices will surround us in the home and workplace this year, a $30 billion market by the year 2020. This growing network of Internet-connected household devices, from Samsung refrigerators to Nest thermostats, will undoubtedly render individuals and corporations increasingly vulnerable to ransomware attacks.
Recent Ransomware Attacks
While ransomware has beleaguered victim companies for much of the last decade, a recent global spate of ransomware attacks has prompted intense media coverage and worldwide apprehension and concern.
For instance, in April 2017, a ransomware group known as Shadow Brokers coopted a ransomware exploit (nicknamed Eternal Blue) from the U.S. National Security Agency, and took advantage of a Windows vulnerability, targeting a wave of hospitals. The ransomware extortion demands impacted more than just corporate operations and secrets; suddenly, a cyber-attack impacted the lives of sick hospital patients, prompting an almost international hysteria.
The vulnerability, patchable for new Microsoft systems but not necessarily for older systems upon which many hospitals were running, was dubbed “WannaCry” or “WannaCrypt” ransomware, and according to Europol, claimed over 200,000 victims in over 150 countries.
Similarly, in late June 2017, another strain of ransomware hit at least six countries, including and primarily Ukraine, where it was blamed for a large and coordinated attack on key parts of the nation’s infrastructure, from government agencies and electric grids to stores and banks. According to Microsoft, this outbreak, referred to as NotPetya – aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya and Diskcoder.C – resulted in “a less widespread attack” than WannaCry, aka WannaCrypt.
As a result of NotPetya ransomware, A.T.M.’s in the Ukraine apparently stopped working; workers were forced to manually monitor radiation at the old Chernobyl nuclear plant when their computers failed; and data security personnel at companies around the world — from Maersk, the Danish shipping conglomerate, to Merck, the drug giant in the United States — were reportedly scrambling to respond. Even an Australian factory for the chocolate giant Cadbury was affected.
Though more sophisticated than WannaCry and employing the same Eternal Blue server message block exploit, NotPetya’s global impact was reportedly blunted by its own limited attack capabilities (e.g. by a default setting, the infected system reboots after 60 minutes, and the malware does not persist after the reboot). “This means that the threat can only do lateral movement and exploitation of other machines during this limited time,” Microsoft says. “This reduced the reach of the attack.”
Law Enforcement and Ransomware: The Official View
The official line from federal law enforcement with respect to Ransomware is: Report the Incident and Don’t Pay. Specifically, the FBI warns:
“The FBI doesn’t support paying a ransom in response to a ransomware attack . . . Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. [B]y paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The FBI also warns that paying ransomware does not guarantee that a victim company will obtain from the attacker a working key to rescue their data. The FBI is aware of cases where either the attackers fail to hand over the correct decryption key or are unwilling to comply with the original ransomware demands after payment is received. According to Trend Micro research, nearly 33 percent of firms that pay the ransom when attacked by ransomware fail to get their data back. The FBI also urges ransomware victims to report ransomware attacks immediately and seek help from the FBI in handling the situation.
Along similar lines, during an emergency meeting to address the WannaCry ransomware attacks, Tom Bossert, Homeland Security Advisor to President Donald Trump, discussed the perils of ransomware payment, and warned that victims could still lose access to files even after making a payment:
“Well, the U.S. government doesn’t make a recommendation on paying ransom, but I would provide a strong caution. You’re dealing with people who are obviously not scrupulous, so making a payment does not mean you are going to get your data back.”
Law Enforcement and Ransomware: The Unofficial View
In some public settings, the FBI has warned that, without paying a ransom, victim companies may not be able to unlock their kidnapped data from ransomware attackers who use Cryptolocker, Cryptowall and other potent malware strains.
“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people to just pay the ransom . . . The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”
Indeed, the Ponemon Institute reported in a 2016 study that 48% of businesses victimized by ransomware paid the ransom (average ransomware payment being $2,500), while a similar IBM Security study found that 70 percent of business victims paid the ransom during that same period.
Even some law enforcement officials themselves have decided to cut their losses by paying off the purveyors of ransomware. For instance, in the Massachusetts townships of Tewksbury and Swansea, ransomware attackers made off with $500 and $750 bounties, respectively. Elsewhere, police departments in the Chicago suburbs of Midlothian and Dickson County, Tenn., also paid ransom amounts to ransomware attackers. That even law enforcement officials have opted to cut their losses by succumbing to, and paying off, ransomware attackers demonstrates how oddly commonplace ransomware payments have become.
Counsel as Quarterback for Ransomware Response
Ransomware is a crime, has significant regulatory implications and can involve important legal responsibilities and liabilities. At a minimum, ransomware schemes run afoul of the federal computer crime statute, 18 U.S.C. § 1030, and particularly subsection (a)(7), which forbids hacking intended to extort something of value from the victim.
Above all else, the legal ramifications of any ransomware incident or failure can be calamitous for any public or private company. Even the most traditional realms of IT dominion such as exfiltration analysis, malware reverse engineering, digital forensics, logging review and most technological remediation measures are rife with legal and compliance issues and a myriad of potential conflicts.
For instance, after a cybersecurity incident such as a ransomware attack, law enforcement, regulators, vendors, partners, insurers, customers and others may:
Request forensic images of impacted systems;
Demand copies of indicators of compromise;
Mandate that their own auditors or examiners visit sites of infiltration and conduct their own audit and investigation;
Want to participate in remediation planning;
Seek interviews and interactions with IT personnel;
Require briefings from a victim company’s forensic experts and data security engineers; or
Ask to attach a recording appliance to a victim company’s network in hope of capturing traces of attacker activity, should an attacker return.
These requests raise a host of legal issues, including how exactly to respond to each request and whether any response would violate the privacy of customers; be at odds with commercial agreements; result in a waiver of the attorney-client or work product privileges; or have any other legal/compliance consequences.
Because so many incident response issues are critical to the very survival of a company, who else but the GC can oversee and direct investigative workflow, commanding the investigation and remediation for the C-suite, sharing with senior management the ultimate responsibility for key decisions, while having the responsibility and duty of reporting to the company’s board.
Ransomware and the Attorney-Client Privilege
Attorney involvement, awareness, leadership, and direction are not the only essentials for managing the quagmire of legal issues arising during a ransomware response. GC involvement also triggers the protections afforded by the attorney-client and work product privileges, a critical component in the response to data security incidents.
The involvement and direction of counsel in the context of any investigation will presumably apply to the work product produced not only directly by the legal team members but also by the outside advisors, including the digital forensic investigators engaged by internal or outside counsel.
This is standard practice in the context of any other type of investigation – a cyber incident is no different. There is nothing nefarious or extraordinary about this approach, it is a time-honored and tested standard operating procedure. The involvement of counsel establishes a single point of coordination and a designated information collection point.
Counsel as quarterback of ransomware response also enhances visibility into the facts, improves the ability to pursue appropriate leads and, most importantly, ensures the accuracy and completeness of information before it is communicated to external audiences. Otherwise, incomplete and/or inaccurate information could be released, only to have to later be corrected or even retracted.
Ransomware Notification Requirements
Although typically involving locking up data (rather than accessing, targeting or exfiltrating data), a ransomware attack could still be deemed the type of data security incident which triggers a legal notification requirement, including notice to:
State regulators (per state privacy statutes, rules and regulations);
Shareholders (per SEC disclosure obligations);
Vendors, partners and other entities (Many companies now incorporate rigorous cybersecurity notification requirements into their contracts, which can trigger when a victim company experiences a ransomware attack.);
Insurance carriers (especially if a victim company plans to make an insurance claim, relating to the ransomware attack);
Customers (when the data of a customer, such as a hospital patient, is impacted by a ransomware attack, a victim company may have very specific legal obligations to notify that customer); and
Any other constituency who may have a vested interest in a victim-company.
With respect to state regulatory notifications there is some grey area worthy of mention. In the United States, 52 jurisdictions (including 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) have enacted some version of a data breach notification law. Under these laws, notification may be required for any customer whose personally identifiable information (PII) was acquired or accessed, or reasonably likely to have been acquired or accessed. While most states require some form of notice to their residents of a data breach, depending on applicable legal standards, some states also require notification to public agencies, such as the state attorney general.
The threshold issue is a technological one – probably best determined by a digital forensics expert and couched in legal terms. For instance, if the data is encrypted or otherwise “locked” through an automated process, companies could argue that the data was never accessed by an unauthorized party, which is the standard that typically triggers state breach notification laws.
On the other hand, though the mere encryption of data may not trigger the notification rules, the viewing, copying, relocating and altering of information can. Digital forensics and malware reverse engineering can provide some clue with respect to the impact of a ransomware attack and help assess some of the lesser state thresholds (such as in states like Connecticut, Florida, Kansas, Louisiana and New Jersey) where the definition of a breach also includes accessing of protected health information.
With respect to some of the more onerous and specific federal notification rules, such as under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), digital forensics analysis can also provide critical information relating to disclosure requirements. For instance, HHS rules generally state that hospitals need only report attacks that result in the exposure of private medical or financial information, such as malware that steals data. Whether ransomware’s data encryption crosses that legal threshold can be challenging to determine, which is why ransomware attacks and other data security incidents at health care organizations often go unreported.
In addition, under the new EU General Data Protection Regulation, effective May 25, 2018, there is a requirement to notify the supervisory authorities without undue delay (no later than 72 hours) after becoming aware of a data breach, unless it is unlikely to cause a risk to the affected individuals. The fines for violating this regulation are significant—up to 4% of global annual turnover or €20 million (whichever is the higher), so any late notification will need to be justified.
Ransomware Investigative Tactics
While determining the bona fides of a ransomware strain is always challenging, an experienced digital forensic examiner can find some answers by searching for some of the more typical cyber-indicators. Ransomware malware is characteristically a type of tool, which is not only known to most professionals, but may even be readily available for purchase online. If the name and modus operandi of the ransomware is new or otherwise unknown, rather than a victim firm being “patient zero,” the ransomware may turn out to be bogus.
Digital forensic experts can also research the Bitcoin payment address; the malware message; any relevant phishing emails; and any other of the ransomware’s characteristics in data security research forums and internal archives, to analyze recent commentary about the ransomware and test its efficacy and validity.
There are also a range of digital forensics tests to initiate upon an infected file to assess a ransomware strain’s actual efficacy. For instance, one simple test is to return the file name to its original form. Real ransomware changes the file extension of encrypted files. The Ransomware files may not be encrypted but just renamed to provide the illusion of encryption to cajole a ransom payment. A digital forensics expert can also investigate the severity of the attack; reverse-engineer the malware that has taken control of victim data; and attempt a full-fledged data recovery.
Ransomware Payment
In cases where a particular ransomware attack cannot be fully mitigated, an experienced digital forensics firm can broker and validate a solution that minimizes the cost of recovery and prevents further extortion from the attacker.
Paying off the ransomware attackers typically entails: 1) sending the secret ransomware key file now stored on the victim’s computer; 2) uploading that file (or data string) to the attackers together with a Bitcoin payment; and 3) awaiting a decryption key or a tool a victim can use to undo the encryption on the victim company files. This is a complex and challenging process.
First off, a digital forensics firm can help a ransomware victim navigate the maze of setting up an account to handle Bitcoin, getting it funded, and figuring out how to pay other people with it. A digital forensics examiner may even be able to construct a payment scheme where rendering ransomware payments is conditional. By using cryptocurrency features to ensure that ransomware attackers cannot receive their payment unless they deliver a key, there can exist some added level of security and reliability upon the transaction. One ransomware response expert, notes:
“ . . A ransomware developer could easily perform payment via a smart contract script (in a system like Ethereum) that guarantees the following property. This payment will be delivered to the ransomware operator if and only if the ransomware author unlocks it — by posting the ransomware decryption key to the same blockchain.”
Ransomware attackers may portray the entire ransomware payment process as more akin to an ordinary business transaction than an international extortion scheme. In fact, some recent ransomware attackers purportedly even offer a victim company a discount if the victim company transmits the infection to other companies, just like referral programs of Uber or Lyft.
However, while a ransomware payment process may seem straightforward and rudimentary, the reality is far more complicated and rife with challenges. No ransomware payment process can guarantee that the ransomware attacker will provide a decryption key. The ransomware scheme may be nothing more than a social engineering ruse, more like an old fashioned Nigerian Internet scam than a malware infection – and the payment could end up being all for naught.
Indeed, ransomware attackers may no longer have the encryption key or may just opt to take a ransom payment, infect a company’s system, and flee the crime scene entirely. Not only is the system of paying in untraceable Bitcoin risky, but the transaction in its entirety is so risky, it hardly seems palatable. Nonetheless, the number of victim companies that pay ransomware demands continues to grow at an alarming rate.
The Legalities of Ransomware Payment
Though the FBI has hinted at the possible illegality of paying a ransomware demand, the FBI has never specifically stated that the payer could actually be charged with a crime. It would seem rather obvious that with respect to any criminal statute, actions taken under duress do not ordinarily constitute a crime. Moreover, the ransomware attacker possesses the criminal intent, not the victim who agrees to pay. However, there is little specific legal authority on the subject of payment and negotiation with ransomware attackers, so the legalities of payment are worthy of some analysis.
In general, legal commentary and case law regarding ransom payments is limited. However, in a germane 2011 British case, Masefield AG v Amlin Corporate Member Ltd (The Bunga Melati Dua), relating to maritime piracy and ransom demands for safe return of the vessel and crew, the court faced a somewhat analogous scenario. Specifically, the British Court of Appeal held that there was no general public policy argument against paying ransoms, stating that:
“…there is no universal morality against the payment of ransom, the act not of the aggressor but of the victim of piratical threats, performed in order to save property and the liberty or life of hostages. There is no evidence before the court of such payments being illegal anywhere in the world. This is despite the realization that the payment of ransom, whatever it might achieve in terms of the rescue of hostages and property, itself encourages the incidence of piracy for the purposes of exacting more ransoms. (Perhaps it should be said that the pirates are not classified as terrorists. It may be that the position with regard to terrorists is different).”
Though addressing hostage ransoms, and not ransomware, former President Barak Obama provided a similar message in his Statement by the President on the U.S. Government’s Hostage Policy Review (June 24, 2015):
“I firmly believe that the United States government paying ransom to terrorists’ risks endangering more Americans and funding the very terrorism that we’re trying to stop. And so I firmly believe that our policy ultimately puts fewer Americans at risk. At the same time, we are clarifying that our policy does not prevent communication with hostage-takers — by our government, the families of hostages, or third parties who help these families . . . In particular, I want to point out that no family of an American hostage has ever been prosecuted for paying a ransom for the return of their loved ones. The last thing that we should ever do is to add to a family’s pain with threats like that.”
Ransomware and the FCPA
The Foreign Corrupt Practices Act of 1977 (FCPA) prohibits payments to foreign government officials to assist in obtaining or retaining business or directing business to any person. Laws such as the FCPA reflect an alternative approach to deterring bribes, by penalizing those on the payment side of the transaction.
Specifically, the FCPA prohibits giving something of value for the purpose of: “(i) influencing any act or decision of [a] foreign official in his official capacity, (ii) inducing such foreign official to do or omit any act in violation of the lawful duty of such official, or (iii) securing any improper advantage … to obtain or retain business for or with … any person.” The law provides an affirmative defense for payments that are “lawful under the written laws and regulations” of the country.
Given the FCPA threshold requirement that a payment must be made to assist in obtaining or retaining business for the individual or company or directing that business to another person, a ransomware scenario does not appear to trigger the FCPA.
However, FCPA’s enforcement can provide a useful analogy when considering the legalities of paying a ransomware demand. U.S. companies often face extortionate demands from foreign police, bureaucrats, and regulators, who threaten to hold, expel, or even harm employees if ransoms are not paid. And there have always been questions whether those involuntary payments can violate the FCPA. The DOJ-SEC Guidance on FCPA addresses this issue, stating:
“Does the FCPA Apply to Cases of Extortion or Duress? Situations involving extortion or duress will not give rise to FCPA liability because a payment made in response to true extortionate demands under imminent threat of physical harm cannot be said to have been made with corrupt intent or for the purpose of obtaining or retaining business.”
This notion, that under FCPA an individual is not guilty of a criminal offense when forced to do so by duress or extortion, is confirmed in United States v. Kozeny, 582 F.Supp.2d 535, 540 (S.D.N.Y. 2008). Specifically, in the Kozeny decision, the United States District Court for the Southern District of New York ruled that extortion or duress under the threat of imminent physical harm would excuses the conduct (essentially negating a corrupt intent), stating:
“ . . . while the FCPA would apply to a situation in which a “payment [is] demanded on the part of a government official as a price for gaining entry into a market or to obtain a contract,” it would not apply to one in which payment is made to an official “to keep an oil rig from being dynamited,” an example of “true extortion.” The reason is that in the former situation, the bribe payer cannot argue that he lacked the intent to bribe the official because he made the “conscious decision” to pay the official. In other words, in the first example, the payer could have turned his back and walked away—in the latter example, he could not.”
Whether the “economic duress” of a typical ransomware attack would rise to the level of “true extortion” as described in the Kozeny decision remains untested, and might be viewed as insufficient to excuse conduct from sanctions under the FCPA.
The FCPA could also potentially apply in ransomware scenarios where the cyber-criminal has a known connection to a foreign government. While the concealed identity of cyber-criminals involved in ransomware attacks likely prevents a payer from knowing that a payment violates the FCPA, the issue could still arise when a digital forensic expert identifies a ransomware attacker’s modus operandi to be that of a state sponsored organization (e.g. from Russia, North Korea or Iran).
Foreign Sanctions and Ransomware
Like the FCPA, international sanctions regimes are also designed to prevent payments to certain designated payees, institutions, and countries who are enemies of the U.S, such as terrorists and terrorist organizations. In the United States, the Treasury’s Office of Foreign Asset Controls (OFAC) supervises these programs, such as the Trading with the Enemy Act and the International Emergency Economic Powers Act (IEEPA).
Under these Acts, ransom payments (whether directly or indirectly through an intermediary) to Foreign Terrorist Organizations (FTOs) or Specially Designated Global Terrorists (SDGTs) identified by OFAC, are illegal under U.S. law. Monetary contributions to FTOs are considered material support under 18 U.S.C. 2339B, while transfers to SDGTs are violations of economic sanctions imposed pursuant to the IEEPA.
For example, in a February 2017 cyber-attack against the British National Health System, the attackers appeared to be ISIS and in particular, the Tunisian Falange Team, which posted graphics and pictures decrying at the war in Syria. Whether a similar attack against a U.S. hospital, with a similar evidentiary trail indicating terrorist attribution, would trigger the limitations imposed OFAC is unclear and untested. However, any digital forensic findings of a ransomware attack indicating terrorist attribution or involvement is certainly worthy of consideration when contemplating a ransomware payment.
Ransomware and Conspiracy
Whether a payer of a ransomware demand can be held to have entered into a conspiracy with the ransomware attacker seems unlikely and contrary to the public interest. A conspiracy is an agreement with another that a criminal course of conduct is to be pursued. Ransomware payments do not appear to be the kind of agreements contemplated by conspiracy statutes, but instead are forced arrangements dictated by a ransomware attacker.
However, other profiting and culpable participants in the Bitcoin payment scheme to pay a ransomware attacker might find themselves facing criminal penalties. Anthony Murgio, who recently pled guilty to operating as a money transmitter without a license in 2015, was also charged with violating Title 18 U.S.C., Section 1030(a)(7) and sentenced to 5 ½ years in prison. Federal prosecutors alleged that Murgio and his co-conspirators benefitted from transactions providing victims with Bitcoin to pay off ransomware demands. The Murgio indictment states:
“As part of the unlawful Coin.mx scheme, Anthony P. Murgio, the defendant, and his co-conspirators knowingly processed and profited from numerous Bitcoin transactions conducted on behalf of victims of ransomware schemes…By knowingly permitting ransomware victims to exchange currency for Bitcoins through Coin.mx, Murgio and his co-conspirators facilitated the transfer of ransom proceeds to the malware operators while generating revenue for Coin.mx.”
Unlike a ransomware payer, Murgio was a part of the payment process and clearly facilitated the ransomware transactions with unclean hands – possessing the kind of felonious intent required for money laundering criminal liability. Crypto-currency sellers or exchange operators may be caught up in legal trouble if: they have avoided or neglected reporting requirements or have not registered as a money transmission business (like Murgio), or, if they were criminally complicit with the ransomware attackers.
The distinction seems clear: if a Bitcoin seller actively aided and abetted a ransomware attacker, knowingly profiting from the scheme, the Bitcoin seller could be criminally liable. However, if a digital forensics firm made Bitcoin available to a client and provided technical advice as to how to pay in Bitcoin, then, like Thomas Clayton in Proof of Life, criminal liability seems wholly inappropriate.
Ransomware: To Pay or Not To Pay
For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, does not appear to break any laws – and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination — almost like a cost-benefit analysis.
The arguments for rendering a ransomware payment include:
Payment is the least costly option;
Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up);
Payment can avoid being fined for losing important data;
Payment means not losing highly confidential information; and
Payment may mean not going public with the data breach.
The arguments against rendering a ransomware payment include:
Payment does not guarantee that the right encryption keys with the proper decryption algorithms will be provided;
Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime;
Payment can do damage to a corporate brand;
Payment may not stop the ransomware attacker from returning;
If victims stopped making ransomware payments, the ransomware revenue stream would stop and ransomware attackers would have to move on to perpetrating another scheme; and
Using Bitcoin to pay a ransomware attacker can put organizations at risk. Most victims must buy Bitcoin on entirely unregulated and free-wheeling exchanges that can also be hacked, leaving buyers’ bank account information stored on these exchanges vulnerable.
Ransomware Remediation
There are a slew of basic steps companies should take as preemptive measures to avoid falling prey to ransomware, including backing up systems and employing the latest cybersecurity measures. Other measures include:
Updating operating systems, software patching, antivirus programs and firewalls;
Taking steps to detect and block ransomware through firewalls and intrusion detection monitoring, including setting alerts for anomalous behavior;
Revisiting backup protocols to ensure that a crypto-attack is classified as a potential disaster with appropriate contingency plans;
Enabling popup blockers;
Employing IT professionals or consultants familiar with ransomware, who stays current with evolving iterations and variants; and
Implementing a strong password policy requiring all users to regularly change passwords and require more complex passwords, i.e. mixture of lower and uppercase letters, numbers, and symbols;
Reviewing and auditing all network permissions in your network while updating and deactivating all user accounts regularly, including departing employees;
Rigorous employee education and outreach;
Securing long and short-term backups, stored in a manner detached from a company’s network;
Intense screening of partners and vendors to ensure strong security procedures from associated third parties;
Thoughtfully and securely segmenting sensitive user and corporate data within a corporate network; and
Changing network and Wi-Fi passwords regularly.
Along the same lines, the FBI urges organizations to be vigilant keeping browsers, operating systems and third-party application patch levels up to date, and that antivirus protection is also current. The FBI also suggests companies back up often, lock down access granted to individuals and manage configuration of file systems, directories and network shares appropriately.
By setting snares and “honeypots” for would-be ransomware attackers, companies can go so far as to employ drastic and direct preemptive measures. For example, Deception Technology sets its trademarked HackTraps to misdirect ransomware attackers and prevent them from going deeper into a corporate network and reaching their intended target. These traps can be as simple as a document with a deceiving title that was created exclusively to lure in the cybercriminals.
A digital forensic expert can also help a victim company develop and implement a containment plan to isolate any additional infections and provide strategic recommendations to prevent further ransomware attacks and otherwise mitigate their impact.
It may be hard to believe, but when handled correctly, a customer data compromise or data security incident like a ransomware attack can actually become the kind of successful failure that not only prompts remediation that strengthens technological infrastructure, but also reinforces a firm’s commitment and focus upon its customers, partners and other fiduciaries.
Ransomware and Business Continuity Plans
The critical importance of a business continuity plan in the event of a natural disaster is widely recognized and accepted. Yet, too often, such plans are not evaluated in the context of assessing cybersecurity risks such as ransomware.
Even when an organization’s IT cybersecurity response fully aligns to IT best practices, there are benefits in utilizing or integrating IT’s response into the existing business continuity structure, rather than having two separate response models. Speed and agility are key enablers in ransomware response, and business continuity enables nimble, rapid response limiting financial and reputational impact on the enterprise.
A powerful business continuity plan, which is properly integrated with an incident response plan, contemplates the threat of ransomware and plans for data recovery, such as with specialized back-up data systems that are routinely tested and updated as necessary.
Ransomware and Cyber Insurance
Like any other corporate risk, companies are beginning to realize that the financial, operational and even reputational risks of a ransomware attack can be addressed via a comprehensive and targeted cyber insurance policy. Over 60 insurance companies now offer cyber insurance, many containing specific provisions addressing ransomware. In 2015, ransomware accounted for just over 10% of cyber insurance claims, but in 2016 that figure grew to 25%.
Currently, most cyber insurance policies are modular, which means an organization chooses from a menu of coverage options, such as business interruption, third party liability for privacy breaches and first party coverage for an organization’s own costs to detect, stop, investigate and remediate a network security incident.
Ransomware typically falls under “first party” liabilities as cyber extortion and network interruption. When making a cyber insurance claim for ransomware, a victim company should be prepared to demonstrate that: the ransom has been surrendered under duress; the incident is not a hoax; there was c-suite participation in the ransomware payment decision; the insurance company approved of the ransomware payment plan; and the ransomware attack was reported to law enforcement.
Making an insurance reimbursement claim for a Bitcoin payment is also tricky, even with respect to valuation and execution. Challenges include proving to an insurance company: that a Bitcoin payment was made; that a Bitcoin payment was for a particular amount of U.S. dollars; and that a Bitcoin transaction was documented in an acceptable and verifiable manner.
Thus, a ransomware victim company may have to engage a professional intermediary to pay the attackers, and then seek reimbursement for the fees paid to the digital intermediary. Otherwise, an insurer might have no way to audit a process involving Bitcoin and therefore refuse to recompense Bitcoin payments. Cyber insurance might also not cover the full amount of the ransomware or may have in place a high deductible amount (for large organizations the deductible could be $500,000 or as high as $5 million).
Without a specific ransomware cyber insurance policy, a victim company would have to look to the breadth of their professional liability and other insurance policies, which can give rise to ambiguities and disputes. For example, the presence of any sort of terrorism exclusion can become problematic. For instance, insurance policies may have “acts of foreign enemies” or “government acts” exclusions that can limit reimbursement if the ransomware was distributed by cyber-attackers tied to a foreign government;
In addition, whether a ransomware victim company must show “physical damage” can also become an issue. In the typical ransomware scenario, a victim company’s data is not actually damaged but is rather, “locked.” An insurance company may argue that like other cyber-attacks, where a victim’s data was accessed, but not otherwise disturbed, altered or exfiltrated, then the victim has no insurance claim; and
Some companies who do not have cyber insurance, may turn to their kidnap insurance for coverage relating to ransomware attacks. Kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas of danger, such as where violence related to oil and mining operations is common (like parts of Africa and Latin America).
K&R policies, which typically do not have deductibles, can cover the ransom payments as well as crisis response services, including getting in touch with criminal and regulatory authorities. Whether K&R coverage, which was not designed for ransomware, will cover ransomware costs and expenses will always be a matter of the specific policies involved.
To get the most out of cyber coverage for ransomware attacks, companies should work closely with their brokers, their insurers, their outside counsel and their own internal experts and executives to fully understand their particular ransomware risks. For now, the most effective cyber insurance policies are bespoke, and given the rapidly evolving nature of cyber-attacks, will continue to require custom-tailored fitting for quite some time.
Just like other kinds of insurance, ransomware coverage by itself will rarely be enough to make a company whole after a cyber-attack, but it can provide critical financial resources. Moreover, when coupled with a thoughtful and diligent incident response, a sound ransomware insurance policy can send a powerful message of strong business acumen; fierce customer dedication; and steadfast corporate governance, demonstrating profound expertise to the marketplace, shareholders, regulators and the many other interested corporate stakeholders.
Final Thoughts
When confronted with a ransomware attack, the options all seem bleak. Pay the hackers – and the victim may not only prompt future attacks, but there is also no guarantee that the hackers will restore a victim’s dataset. Ignore the hackers – and the victim may incur significant financial damage or even find themselves out of business. The only guarantees during a ransomware attack are the fear, uncertainty and dread inevitably experienced by the victim.
Even under the best-case scenario, where a victim has maintained archives and can keep their business alive, the victim companies will incur significant remedial costs, business disruptions and exhaustive management drag. Moreover, having a back-up storage solution in place is not always ideal; not only can outside storage of data create additional cybersecurity risks, but sometimes data archives are more like the proverbial roach motel, where data checks in but it can’t check out.
No doubt that the ease, anonymity and speed of crypto-currency payments such as Bitcoin, has revolutionized the ransomware industry, prompting its extraordinary growth. Bitcoin not only makes it simpler to remain anonymous, but also enables a nameless payment mechanism where the extorted funds can be immediately transferred into criminal hands.
Transactions in crypto-currencies like Bitcoin lack a discernable audit trail and operate outside of regulated financial networks and are alarmingly unregulated. There is no central issuer of Bitcoins, nor a Federal Reserve of Bitcoins monitoring and tracking transactions or controlling their value. In short, government surveillance and regulation of cryptocurrency is virtually nonexistent (no pun intended) and so long as crypto-currency payment schemes exist, ransomware attacks and iterations will likely continue to thrive.
Though too early to tell, there may emerge some form of Bitcoin regulation via Executive Order No. 13,694 (April, 2015), which expands sanctions to include “blocking” the property of persons engaging in “Significant Malicious Cyber-Enabled Activities.” The order declares a “national emergency” to deal with cyber-enabled threats and extends to the assets of those who “have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any [malicious cyber-enabled activities].”
Given that ransomware Bitcoin payments are made to cyber criminals, per Executive Order 13,694, the U.S. Secretary of the Treasury, the U.S. Attorney General and/or the U.S. Secretary of State could freeze or “block” assets of any participant in the Bitcoin financial chain. Such dramatic government intervention could discourage the purveyors of ransomware attacks, who depend upon Bitcoin for receiving payments.
The government could also take additional steps to combat ransomware such as:
Providing financial incentives for private investment in ransomware prevention and remediation technologies;
Speaking more boldly discouraging ransomware payments that monetize crime, perhaps via the Financial Crimes Enforcement Network (FinCen) or via a task force of state and federal law enforcement agencies; or
Creating new legal penalties for ransomware payments in a manner similar to the FCPA, rendering the option of paying ransom costlier, thus nudging firms toward choosing greater security.
But these government measures are theoretical and even if implemented, might still not sojourn the dramatic growth of ransomware. The reality is that when it comes to ransomware attacks, the government seems idle and relatively powerless, which means ransomware victims are unfortunately on their own. So what should companies do to manage the increasing risk of the current ransomware crime wave?
As would probably be preached by Thomas Clayton (or Russell Crowe), companies struggling with ransomware threats should apply the same lessons to ransomware protection that Clayton uses for employee protection: Be prepared (e.g. deploy back-ups and the like); Be thoughtful (e.g. use professionals to implement preemptive measures and help handle the response); and Be vigilant (e.g. never underestimate the impact of ransomware and never take the threat lightly).
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook,” available as an eBook on Amazon, iBooks and other booksellers.
The post Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance appeared first on The D&O Diary.
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance syndicated from http://ift.tt/2qyreAv
0 notes
Text
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance
John Stark Reed
Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.
I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
****************************
In the 2000 American thriller film Proof of Life, the title refers to a phrase commonly used to indicate proof that a kidnap victim is still alive. As an expert negotiator in kidnapping cases, Terry Thorne, played by Russell Crowe, is engaged to bargain for a corporate kidnap victim’s safe return.
The film Proof of Life is not just a compelling narrative – its premise and main character also provide some useful insights into managing the emerging threat of ransomware. Ransomware, a special and more nascent type of malware, prevents or limits users from accessing their data, by locking system screens or user files, unless and until a ransom is paid.
Proof of Life’s screenplay was partly inspired by Thomas Hargrove’s book The Long March to Freedom, which recounts how the release of the once-kidnapped Hargrove was negotiated by Thomas Clayton, the founder of his eponymous kidnap-for-ransom consultancy Clayton Consultants (now part of risk management firm, Triple Canopy).
Just like Clayton Consultants, the team advising a ransomware victim company, whether a hospital or global corporate conglomerate, must employ a thoughtful, careful and methodical protocol to survive the ransomware crisis. Like any hostage situation, when a cyber-attacker locks up critical data files, the logistics and legalities of ransomware refusal, acquiescence or capitulation can be both elaborate and complicated.
To make matters worse, seeking law enforcement help for a ransomware attack unfortunately remains a very limited option. First, law enforcement has become inundated with ransomware reports and lacks the resources and wherewithal to assist victims. Second, most of the ransomware attackers are overseas, where merely obtaining an electronic evidence or interviewing a witness, let alone successful extradition and prosecution, are rarely possible. Finally, ransomware demands are often at monetary levels in the hundreds or thousands of dollars – too small to warrant federal law enforcement consideration while clearly outside of the jurisdiction of local law enforcement.
Thus, it should come as no surprise that a significant number of ransomware victims opt to pay the ransom. When padlocked files are business-critical (e.g. an important intellectual property formula); when encryption cannot be defeated (no matter how good the code-breaker) or when time is of the essence (e.g. when patient data is needed for life-saving surgery), paying the ransom can become the proverbial best worst option. Moreover, the typically de minimus ransomware payment demands (on average, about $679) are more akin to a financial nuisance than a material fiscal line-item, so from a cost-benefit perspective, payment can make the most sense.
Under any circumstance, ransomware has quickly become a novel, multifaceted and emerging risk to all corporate enterprises, and like any other material risk, should be addressed and mitigated in a reasonable, lawful, robust and effective manner.
This article provides guidance on the legal issues, logistical considerations and financial implications when managing ransomware threats, including an exposition of the unique issues which can arise when seeking proof of life and opting to meet the monetary demands of ransomware attacker.
What is Ransomware?
Ransomware is a type of malicious software that infects a computer and restricts users’ access to certain data, systems and/or files until a ransom is paid. Ransomware can come in many forms and iterations and like any other virus or infection, ransomware can evolve and transmogrify to counter cyber-defenses and remediation. Although only a fraction of ransomware attacks are actually reported to federal authorities, the U.S. Department of Justice reports over 4,000 ransomware attacks occur daily.
A ransomware victim company’s files are rarely exfiltrated by a ransomware attacker, rather the attacker encrypts the files so a victim company cannot access them. Then the hacker offers to sell the encryption key to the victim, typically payable in an anonymizing online crypto-currency such as Bitcoin. The usual ransomware demand comes with a deadline — after which time, the ransomware attacker threatens that the key will be destroyed or will expire, rendering the kidnapped files forever inaccessible. In many cases the ransom note that hijacks the victim’s screen is accompanied by a digital clock ominously ticking down the minutes and seconds from 72 hours. When the timer expires, the ransom demand usually goes up or even doubles – or the data is permanently locked and henceforth unrecoverable.
Bitcoin and other convertible crypto-currencies have become the keystone to current ransomware schemes, rendering the transactions practically untraceable and well suited for criminal transactions. Unlike the sequence of events during to a common kidnapping scenario, where the exchange of money arguably places criminals in their most vulnerable position, virtual kidnapping of ransomware actually facilitates anonymity throughout the Bitcoin transaction process.
Ransomware Growth
According to a recent study by IBM, spam emails loaded with ransomware increased 6,000 percent in 2016 compared with 2015, comprising almost 40 percent of all spam messages in 2016. Another report, from cybersecurity firm Symantec, cited 460,000 ransomware attempts in 2016, up 36% from 2015, with the average payment demand ballooning from $294 to $1,077, a 266% increase. Ransomware attacks have grown almost exponentially for several reasons:
The ransomware business model works, with the FBI stating that ransomware is on pace to become a one billion dollar source of income for cybercriminals in 2017;
Ransomware start-up costs are cheap. Ransomware software is readily and easily available – and is extraordinarily inexpensive. Ransomware is available for rent; for purchase or even in kits for building. Indeed, 60 percent of the Internet’s top sites sell ransomware; and
Ransomware schemes are typically successful. One recent study found that 70 percent of business victims paid the hackers to get their data back. Of those who paid, 50 percent paid more than $10,000 and 20 percent paid more than $40,000.
Ransomware attacks target the most vulnerable part of a company’s computer networks: people. The primary attack vector for ransomware is an employee who has clicked on a file or a linked he or she should not have clicked. That employee may be:
An accidental insider (e.g. an inattentive employee infiltrated due to inadvertent behaviors or broken business processes);
A compromised insider (e.g. a targeted employee via social engineering and infiltrated due to malware infections or stolen credentials); or
A malicious insider (e.g. a so-called bad leaver or criminal insider who infiltrate via corporate espionage and sabotage).
Ransomware is sometimes embedded in seemingly legitimate downloads such as software updates or resume files. Fake Adobe Flash updates are a notorious Trojan horse for delivering ransomware because Flash is such a ubiquitous add-on to most Internet browsers. Once inside a network, some ransomware can seed itself to additional computers or other devices via SMS messages or a user’s contact list.
What makes ransomware countermeasures challenging is the evolution of ransomware variants. There has been a tremendous increase in ransomware strains – reaching almost epidemic proportions. Indeed, new ransomware strains are now being created to tap into the mobile user base, which can impact both personal and business information, already dramatically expanding the ransomware threat landscape, diversifying and expanding their platforms, capabilities and techniques in order to accrue more targets.
Per recent reports, in the third quarter of 2011, about 60,000 new variants of ransomware were detected. That number doubled to over 200,000 in 2012; quadrupling to over 700,000 variants from 2014, to the first quarter of 2015. In the first quarter of 2016, security firm Kaspersky Lab revealed 2,900 new “modifications” of existing ransomware, a 14% increase from the last quarter, and a 30% increase from the previous quarter.
As the Internet of Things begins to establish a foothold in daily life, ransomware growth seems poised to become more severe and more widespread. Market forecaster Gartner expects 6.4 billion connected devices will surround us in the home and workplace this year, a $30 billion market by the year 2020. This growing network of Internet-connected household devices, from Samsung refrigerators to Nest thermostats, will undoubtedly render individuals and corporations increasingly vulnerable to ransomware attacks.
Recent Ransomware Attacks
While ransomware has beleaguered victim companies for much of the last decade, a recent global spate of ransomware attacks has prompted intense media coverage and worldwide apprehension and concern.
For instance, in April 2017, a ransomware group known as Shadow Brokers coopted a ransomware exploit (nicknamed Eternal Blue) from the U.S. National Security Agency, and took advantage of a Windows vulnerability, targeting a wave of hospitals. The ransomware extortion demands impacted more than just corporate operations and secrets; suddenly, a cyber-attack impacted the lives of sick hospital patients, prompting an almost international hysteria.
The vulnerability, patchable for new Microsoft systems but not necessarily for older systems upon which many hospitals were running, was dubbed “WannaCry” or “WannaCrypt” ransomware, and according to Europol, claimed over 200,000 victims in over 150 countries.
Similarly, in late June 2017, another strain of ransomware hit at least six countries, including and primarily Ukraine, where it was blamed for a large and coordinated attack on key parts of the nation’s infrastructure, from government agencies and electric grids to stores and banks. According to Microsoft, this outbreak, referred to as NotPetya – aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya and Diskcoder.C – resulted in “a less widespread attack” than WannaCry, aka WannaCrypt.
As a result of NotPetya ransomware, A.T.M.’s in the Ukraine apparently stopped working; workers were forced to manually monitor radiation at the old Chernobyl nuclear plant when their computers failed; and data security personnel at companies around the world — from Maersk, the Danish shipping conglomerate, to Merck, the drug giant in the United States — were reportedly scrambling to respond. Even an Australian factory for the chocolate giant Cadbury was affected.
Though more sophisticated than WannaCry and employing the same Eternal Blue server message block exploit, NotPetya’s global impact was reportedly blunted by its own limited attack capabilities (e.g. by a default setting, the infected system reboots after 60 minutes, and the malware does not persist after the reboot). “This means that the threat can only do lateral movement and exploitation of other machines during this limited time,” Microsoft says. “This reduced the reach of the attack.”
Law Enforcement and Ransomware: The Official View
The official line from federal law enforcement with respect to Ransomware is: Report the Incident and Don’t Pay. Specifically, the FBI warns:
“The FBI doesn’t support paying a ransom in response to a ransomware attack . . . Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. [B]y paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The FBI also warns that paying ransomware does not guarantee that a victim company will obtain from the attacker a working key to rescue their data. The FBI is aware of cases where either the attackers fail to hand over the correct decryption key or are unwilling to comply with the original ransomware demands after payment is received. According to Trend Micro research, nearly 33 percent of firms that pay the ransom when attacked by ransomware fail to get their data back. The FBI also urges ransomware victims to report ransomware attacks immediately and seek help from the FBI in handling the situation.
Along similar lines, during an emergency meeting to address the WannaCry ransomware attacks, Tom Bossert, Homeland Security Advisor to President Donald Trump, discussed the perils of ransomware payment, and warned that victims could still lose access to files even after making a payment:
“Well, the U.S. government doesn’t make a recommendation on paying ransom, but I would provide a strong caution. You’re dealing with people who are obviously not scrupulous, so making a payment does not mean you are going to get your data back.”
Law Enforcement and Ransomware: The Unofficial View
In some public settings, the FBI has warned that, without paying a ransom, victim companies may not be able to unlock their kidnapped data from ransomware attackers who use Cryptolocker, Cryptowall and other potent malware strains.
“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people to just pay the ransom . . . The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”
Indeed, the Ponemon Institute reported in a 2016 study that 48% of businesses victimized by ransomware paid the ransom (average ransomware payment being $2,500), while a similar IBM Security study found that 70 percent of business victims paid the ransom during that same period.
Even some law enforcement officials themselves have decided to cut their losses by paying off the purveyors of ransomware. For instance, in the Massachusetts townships of Tewksbury and Swansea, ransomware attackers made off with $500 and $750 bounties, respectively. Elsewhere, police departments in the Chicago suburbs of Midlothian and Dickson County, Tenn., also paid ransom amounts to ransomware attackers. That even law enforcement officials have opted to cut their losses by succumbing to, and paying off, ransomware attackers demonstrates how oddly commonplace ransomware payments have become.
Counsel as Quarterback for Ransomware Response
Ransomware is a crime, has significant regulatory implications and can involve important legal responsibilities and liabilities. At a minimum, ransomware schemes run afoul of the federal computer crime statute, 18 U.S.C. § 1030, and particularly subsection (a)(7), which forbids hacking intended to extort something of value from the victim.
Above all else, the legal ramifications of any ransomware incident or failure can be calamitous for any public or private company. Even the most traditional realms of IT dominion such as exfiltration analysis, malware reverse engineering, digital forensics, logging review and most technological remediation measures are rife with legal and compliance issues and a myriad of potential conflicts.
For instance, after a cybersecurity incident such as a ransomware attack, law enforcement, regulators, vendors, partners, insurers, customers and others may:
Request forensic images of impacted systems;
Demand copies of indicators of compromise;
Mandate that their own auditors or examiners visit sites of infiltration and conduct their own audit and investigation;
Want to participate in remediation planning;
Seek interviews and interactions with IT personnel;
Require briefings from a victim company’s forensic experts and data security engineers; or
Ask to attach a recording appliance to a victim company’s network in hope of capturing traces of attacker activity, should an attacker return.
These requests raise a host of legal issues, including how exactly to respond to each request and whether any response would violate the privacy of customers; be at odds with commercial agreements; result in a waiver of the attorney-client or work product privileges; or have any other legal/compliance consequences.
Because so many incident response issues are critical to the very survival of a company, who else but the GC can oversee and direct investigative workflow, commanding the investigation and remediation for the C-suite, sharing with senior management the ultimate responsibility for key decisions, while having the responsibility and duty of reporting to the company’s board.
Ransomware and the Attorney-Client Privilege
Attorney involvement, awareness, leadership, and direction are not the only essentials for managing the quagmire of legal issues arising during a ransomware response. GC involvement also triggers the protections afforded by the attorney-client and work product privileges, a critical component in the response to data security incidents.
The involvement and direction of counsel in the context of any investigation will presumably apply to the work product produced not only directly by the legal team members but also by the outside advisors, including the digital forensic investigators engaged by internal or outside counsel.
This is standard practice in the context of any other type of investigation – a cyber incident is no different. There is nothing nefarious or extraordinary about this approach, it is a time-honored and tested standard operating procedure. The involvement of counsel establishes a single point of coordination and a designated information collection point.
Counsel as quarterback of ransomware response also enhances visibility into the facts, improves the ability to pursue appropriate leads and, most importantly, ensures the accuracy and completeness of information before it is communicated to external audiences. Otherwise, incomplete and/or inaccurate information could be released, only to have to later be corrected or even retracted.
Ransomware Notification Requirements
Although typically involving locking up data (rather than accessing, targeting or exfiltrating data), a ransomware attack could still be deemed the type of data security incident which triggers a legal notification requirement, including notice to:
State regulators (per state privacy statutes, rules and regulations);
Shareholders (per SEC disclosure obligations);
Vendors, partners and other entities (Many companies now incorporate rigorous cybersecurity notification requirements into their contracts, which can trigger when a victim company experiences a ransomware attack.);
Insurance carriers (especially if a victim company plans to make an insurance claim, relating to the ransomware attack);
Customers (when the data of a customer, such as a hospital patient, is impacted by a ransomware attack, a victim company may have very specific legal obligations to notify that customer); and
Any other constituency who may have a vested interest in a victim-company.
With respect to state regulatory notifications there is some grey area worthy of mention. In the United States, 52 jurisdictions (including 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) have enacted some version of a data breach notification law. Under these laws, notification may be required for any customer whose personally identifiable information (PII) was acquired or accessed, or reasonably likely to have been acquired or accessed. While most states require some form of notice to their residents of a data breach, depending on applicable legal standards, some states also require notification to public agencies, such as the state attorney general.
The threshold issue is a technological one – probably best determined by a digital forensics expert and couched in legal terms. For instance, if the data is encrypted or otherwise “locked” through an automated process, companies could argue that the data was never accessed by an unauthorized party, which is the standard that typically triggers state breach notification laws.
On the other hand, though the mere encryption of data may not trigger the notification rules, the viewing, copying, relocating and altering of information can. Digital forensics and malware reverse engineering can provide some clue with respect to the impact of a ransomware attack and help assess some of the lesser state thresholds (such as in states like Connecticut, Florida, Kansas, Louisiana and New Jersey) where the definition of a breach also includes accessing of protected health information.
With respect to some of the more onerous and specific federal notification rules, such as under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), digital forensics analysis can also provide critical information relating to disclosure requirements. For instance, HHS rules generally state that hospitals need only report attacks that result in the exposure of private medical or financial information, such as malware that steals data. Whether ransomware’s data encryption crosses that legal threshold can be challenging to determine, which is why ransomware attacks and other data security incidents at health care organizations often go unreported.
In addition, under the new EU General Data Protection Regulation, effective May 25, 2018, there is a requirement to notify the supervisory authorities without undue delay (no later than 72 hours) after becoming aware of a data breach, unless it is unlikely to cause a risk to the affected individuals. The fines for violating this regulation are significant—up to 4% of global annual turnover or €20 million (whichever is the higher), so any late notification will need to be justified.
Ransomware Investigative Tactics
While determining the bona fides of a ransomware strain is always challenging, an experienced digital forensic examiner can find some answers by searching for some of the more typical cyber-indicators. Ransomware malware is characteristically a type of tool, which is not only known to most professionals, but may even be readily available for purchase online. If the name and modus operandi of the ransomware is new or otherwise unknown, rather than a victim firm being “patient zero,” the ransomware may turn out to be bogus.
Digital forensic experts can also research the Bitcoin payment address; the malware message; any relevant phishing emails; and any other of the ransomware’s characteristics in data security research forums and internal archives, to analyze recent commentary about the ransomware and test its efficacy and validity.
There are also a range of digital forensics tests to initiate upon an infected file to assess a ransomware strain’s actual efficacy. For instance, one simple test is to return the file name to its original form. Real ransomware changes the file extension of encrypted files. The Ransomware files may not be encrypted but just renamed to provide the illusion of encryption to cajole a ransom payment. A digital forensics expert can also investigate the severity of the attack; reverse-engineer the malware that has taken control of victim data; and attempt a full-fledged data recovery.
Ransomware Payment
In cases where a particular ransomware attack cannot be fully mitigated, an experienced digital forensics firm can broker and validate a solution that minimizes the cost of recovery and prevents further extortion from the attacker.
Paying off the ransomware attackers typically entails: 1) sending the secret ransomware key file now stored on the victim’s computer; 2) uploading that file (or data string) to the attackers together with a Bitcoin payment; and 3) awaiting a decryption key or a tool a victim can use to undo the encryption on the victim company files. This is a complex and challenging process.
First off, a digital forensics firm can help a ransomware victim navigate the maze of setting up an account to handle Bitcoin, getting it funded, and figuring out how to pay other people with it. A digital forensics examiner may even be able to construct a payment scheme where rendering ransomware payments is conditional. By using cryptocurrency features to ensure that ransomware attackers cannot receive their payment unless they deliver a key, there can exist some added level of security and reliability upon the transaction. One ransomware response expert, notes:
“ . . A ransomware developer could easily perform payment via a smart contract script (in a system like Ethereum) that guarantees the following property. This payment will be delivered to the ransomware operator if and only if the ransomware author unlocks it — by posting the ransomware decryption key to the same blockchain.”
Ransomware attackers may portray the entire ransomware payment process as more akin to an ordinary business transaction than an international extortion scheme. In fact, some recent ransomware attackers purportedly even offer a victim company a discount if the victim company transmits the infection to other companies, just like referral programs of Uber or Lyft.
However, while a ransomware payment process may seem straightforward and rudimentary, the reality is far more complicated and rife with challenges. No ransomware payment process can guarantee that the ransomware attacker will provide a decryption key. The ransomware scheme may be nothing more than a social engineering ruse, more like an old fashioned Nigerian Internet scam than a malware infection – and the payment could end up being all for naught.
Indeed, ransomware attackers may no longer have the encryption key or may just opt to take a ransom payment, infect a company’s system, and flee the crime scene entirely. Not only is the system of paying in untraceable Bitcoin risky, but the transaction in its entirety is so risky, it hardly seems palatable. Nonetheless, the number of victim companies that pay ransomware demands continues to grow at an alarming rate.
The Legalities of Ransomware Payment
Though the FBI has hinted at the possible illegality of paying a ransomware demand, the FBI has never specifically stated that the payer could actually be charged with a crime. It would seem rather obvious that with respect to any criminal statute, actions taken under duress do not ordinarily constitute a crime. Moreover, the ransomware attacker possesses the criminal intent, not the victim who agrees to pay. However, there is little specific legal authority on the subject of payment and negotiation with ransomware attackers, so the legalities of payment are worthy of some analysis.
In general, legal commentary and case law regarding ransom payments is limited. However, in a germane 2011 British case, Masefield AG v Amlin Corporate Member Ltd (The Bunga Melati Dua), relating to maritime piracy and ransom demands for safe return of the vessel and crew, the court faced a somewhat analogous scenario. Specifically, the British Court of Appeal held that there was no general public policy argument against paying ransoms, stating that:
“…there is no universal morality against the payment of ransom, the act not of the aggressor but of the victim of piratical threats, performed in order to save property and the liberty or life of hostages. There is no evidence before the court of such payments being illegal anywhere in the world. This is despite the realization that the payment of ransom, whatever it might achieve in terms of the rescue of hostages and property, itself encourages the incidence of piracy for the purposes of exacting more ransoms. (Perhaps it should be said that the pirates are not classified as terrorists. It may be that the position with regard to terrorists is different).”
Though addressing hostage ransoms, and not ransomware, former President Barak Obama provided a similar message in his Statement by the President on the U.S. Government’s Hostage Policy Review (June 24, 2015):
“I firmly believe that the United States government paying ransom to terrorists’ risks endangering more Americans and funding the very terrorism that we’re trying to stop. And so I firmly believe that our policy ultimately puts fewer Americans at risk. At the same time, we are clarifying that our policy does not prevent communication with hostage-takers — by our government, the families of hostages, or third parties who help these families . . . In particular, I want to point out that no family of an American hostage has ever been prosecuted for paying a ransom for the return of their loved ones. The last thing that we should ever do is to add to a family’s pain with threats like that.”
Ransomware and the FCPA
The Foreign Corrupt Practices Act of 1977 (FCPA) prohibits payments to foreign government officials to assist in obtaining or retaining business or directing business to any person. Laws such as the FCPA reflect an alternative approach to deterring bribes, by penalizing those on the payment side of the transaction.
Specifically, the FCPA prohibits giving something of value for the purpose of: “(i) influencing any act or decision of [a] foreign official in his official capacity, (ii) inducing such foreign official to do or omit any act in violation of the lawful duty of such official, or (iii) securing any improper advantage … to obtain or retain business for or with … any person.” The law provides an affirmative defense for payments that are “lawful under the written laws and regulations” of the country.
Given the FCPA threshold requirement that a payment must be made to assist in obtaining or retaining business for the individual or company or directing that business to another person, a ransomware scenario does not appear to trigger the FCPA.
However, FCPA’s enforcement can provide a useful analogy when considering the legalities of paying a ransomware demand. U.S. companies often face extortionate demands from foreign police, bureaucrats, and regulators, who threaten to hold, expel, or even harm employees if ransoms are not paid. And there have always been questions whether those involuntary payments can violate the FCPA. The DOJ-SEC Guidance on FCPA addresses this issue, stating:
“Does the FCPA Apply to Cases of Extortion or Duress? Situations involving extortion or duress will not give rise to FCPA liability because a payment made in response to true extortionate demands under imminent threat of physical harm cannot be said to have been made with corrupt intent or for the purpose of obtaining or retaining business.”
This notion, that under FCPA an individual is not guilty of a criminal offense when forced to do so by duress or extortion, is confirmed in United States v. Kozeny, 582 F.Supp.2d 535, 540 (S.D.N.Y. 2008). Specifically, in the Kozeny decision, the United States District Court for the Southern District of New York ruled that extortion or duress under the threat of imminent physical harm would excuses the conduct (essentially negating a corrupt intent), stating:
“ . . . while the FCPA would apply to a situation in which a “payment [is] demanded on the part of a government official as a price for gaining entry into a market or to obtain a contract,” it would not apply to one in which payment is made to an official “to keep an oil rig from being dynamited,” an example of “true extortion.” The reason is that in the former situation, the bribe payer cannot argue that he lacked the intent to bribe the official because he made the “conscious decision” to pay the official. In other words, in the first example, the payer could have turned his back and walked away—in the latter example, he could not.”
Whether the “economic duress” of a typical ransomware attack would rise to the level of “true extortion” as described in the Kozeny decision remains untested, and might be viewed as insufficient to excuse conduct from sanctions under the FCPA.
The FCPA could also potentially apply in ransomware scenarios where the cyber-criminal has a known connection to a foreign government. While the concealed identity of cyber-criminals involved in ransomware attacks likely prevents a payer from knowing that a payment violates the FCPA, the issue could still arise when a digital forensic expert identifies a ransomware attacker’s modus operandi to be that of a state sponsored organization (e.g. from Russia, North Korea or Iran).
Foreign Sanctions and Ransomware
Like the FCPA, international sanctions regimes are also designed to prevent payments to certain designated payees, institutions, and countries who are enemies of the U.S, such as terrorists and terrorist organizations. In the United States, the Treasury’s Office of Foreign Asset Controls (OFAC) supervises these programs, such as the Trading with the Enemy Act and the International Emergency Economic Powers Act (IEEPA).
Under these Acts, ransom payments (whether directly or indirectly through an intermediary) to Foreign Terrorist Organizations (FTOs) or Specially Designated Global Terrorists (SDGTs) identified by OFAC, are illegal under U.S. law. Monetary contributions to FTOs are considered material support under 18 U.S.C. 2339B, while transfers to SDGTs are violations of economic sanctions imposed pursuant to the IEEPA.
For example, in a February 2017 cyber-attack against the British National Health System, the attackers appeared to be ISIS and in particular, the Tunisian Falange Team, which posted graphics and pictures decrying at the war in Syria. Whether a similar attack against a U.S. hospital, with a similar evidentiary trail indicating terrorist attribution, would trigger the limitations imposed OFAC is unclear and untested. However, any digital forensic findings of a ransomware attack indicating terrorist attribution or involvement is certainly worthy of consideration when contemplating a ransomware payment.
Ransomware and Conspiracy
Whether a payer of a ransomware demand can be held to have entered into a conspiracy with the ransomware attacker seems unlikely and contrary to the public interest. A conspiracy is an agreement with another that a criminal course of conduct is to be pursued. Ransomware payments do not appear to be the kind of agreements contemplated by conspiracy statutes, but instead are forced arrangements dictated by a ransomware attacker.
However, other profiting and culpable participants in the Bitcoin payment scheme to pay a ransomware attacker might find themselves facing criminal penalties. Anthony Murgio, who recently pled guilty to operating as a money transmitter without a license in 2015, was also charged with violating Title 18 U.S.C., Section 1030(a)(7) and sentenced to 5 ½ years in prison. Federal prosecutors alleged that Murgio and his co-conspirators benefitted from transactions providing victims with Bitcoin to pay off ransomware demands. The Murgio indictment states:
“As part of the unlawful Coin.mx scheme, Anthony P. Murgio, the defendant, and his co-conspirators knowingly processed and profited from numerous Bitcoin transactions conducted on behalf of victims of ransomware schemes…By knowingly permitting ransomware victims to exchange currency for Bitcoins through Coin.mx, Murgio and his co-conspirators facilitated the transfer of ransom proceeds to the malware operators while generating revenue for Coin.mx.”
Unlike a ransomware payer, Murgio was a part of the payment process and clearly facilitated the ransomware transactions with unclean hands – possessing the kind of felonious intent required for money laundering criminal liability. Crypto-currency sellers or exchange operators may be caught up in legal trouble if: they have avoided or neglected reporting requirements or have not registered as a money transmission business (like Murgio), or, if they were criminally complicit with the ransomware attackers.
The distinction seems clear: if a Bitcoin seller actively aided and abetted a ransomware attacker, knowingly profiting from the scheme, the Bitcoin seller could be criminally liable. However, if a digital forensics firm made Bitcoin available to a client and provided technical advice as to how to pay in Bitcoin, then, like Thomas Clayton in Proof of Life, criminal liability seems wholly inappropriate.
Ransomware: To Pay or Not To Pay
For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, does not appear to break any laws – and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination — almost like a cost-benefit analysis.
The arguments for rendering a ransomware payment include:
Payment is the least costly option;
Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up);
Payment can avoid being fined for losing important data;
Payment means not losing highly confidential information; and
Payment may mean not going public with the data breach.
The arguments against rendering a ransomware payment include:
Payment does not guarantee that the right encryption keys with the proper decryption algorithms will be provided;
Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime;
Payment can do damage to a corporate brand;
Payment may not stop the ransomware attacker from returning;
If victims stopped making ransomware payments, the ransomware revenue stream would stop and ransomware attackers would have to move on to perpetrating another scheme; and
Using Bitcoin to pay a ransomware attacker can put organizations at risk. Most victims must buy Bitcoin on entirely unregulated and free-wheeling exchanges that can also be hacked, leaving buyers’ bank account information stored on these exchanges vulnerable.
Ransomware Remediation
There are a slew of basic steps companies should take as preemptive measures to avoid falling prey to ransomware, including backing up systems and employing the latest cybersecurity measures. Other measures include:
Updating operating systems, software patching, antivirus programs and firewalls;
Taking steps to detect and block ransomware through firewalls and intrusion detection monitoring, including setting alerts for anomalous behavior;
Revisiting backup protocols to ensure that a crypto-attack is classified as a potential disaster with appropriate contingency plans;
Enabling popup blockers;
Employing IT professionals or consultants familiar with ransomware, who stays current with evolving iterations and variants; and
Implementing a strong password policy requiring all users to regularly change passwords and require more complex passwords, i.e. mixture of lower and uppercase letters, numbers, and symbols;
Reviewing and auditing all network permissions in your network while updating and deactivating all user accounts regularly, including departing employees;
Rigorous employee education and outreach;
Securing long and short-term backups, stored in a manner detached from a company’s network;
Intense screening of partners and vendors to ensure strong security procedures from associated third parties;
Thoughtfully and securely segmenting sensitive user and corporate data within a corporate network; and
Changing network and Wi-Fi passwords regularly.
Along the same lines, the FBI urges organizations to be vigilant keeping browsers, operating systems and third-party application patch levels up to date, and that antivirus protection is also current. The FBI also suggests companies back up often, lock down access granted to individuals and manage configuration of file systems, directories and network shares appropriately.
By setting snares and “honeypots” for would-be ransomware attackers, companies can go so far as to employ drastic and direct preemptive measures. For example, Deception Technology sets its trademarked HackTraps to misdirect ransomware attackers and prevent them from going deeper into a corporate network and reaching their intended target. These traps can be as simple as a document with a deceiving title that was created exclusively to lure in the cybercriminals.
A digital forensic expert can also help a victim company develop and implement a containment plan to isolate any additional infections and provide strategic recommendations to prevent further ransomware attacks and otherwise mitigate their impact.
It may be hard to believe, but when handled correctly, a customer data compromise or data security incident like a ransomware attack can actually become the kind of successful failure that not only prompts remediation that strengthens technological infrastructure, but also reinforces a firm’s commitment and focus upon its customers, partners and other fiduciaries.
Ransomware and Business Continuity Plans
The critical importance of a business continuity plan in the event of a natural disaster is widely recognized and accepted. Yet, too often, such plans are not evaluated in the context of assessing cybersecurity risks such as ransomware.
Even when an organization’s IT cybersecurity response fully aligns to IT best practices, there are benefits in utilizing or integrating IT’s response into the existing business continuity structure, rather than having two separate response models. Speed and agility are key enablers in ransomware response, and business continuity enables nimble, rapid response limiting financial and reputational impact on the enterprise.
A powerful business continuity plan, which is properly integrated with an incident response plan, contemplates the threat of ransomware and plans for data recovery, such as with specialized back-up data systems that are routinely tested and updated as necessary.
Ransomware and Cyber Insurance
Like any other corporate risk, companies are beginning to realize that the financial, operational and even reputational risks of a ransomware attack can be addressed via a comprehensive and targeted cyber insurance policy. Over 60 insurance companies now offer cyber insurance, many containing specific provisions addressing ransomware. In 2015, ransomware accounted for just over 10% of cyber insurance claims, but in 2016 that figure grew to 25%.
Currently, most cyber insurance policies are modular, which means an organization chooses from a menu of coverage options, such as business interruption, third party liability for privacy breaches and first party coverage for an organization’s own costs to detect, stop, investigate and remediate a network security incident.
Ransomware typically falls under “first party” liabilities as cyber extortion and network interruption. When making a cyber insurance claim for ransomware, a victim company should be prepared to demonstrate that: the ransom has been surrendered under duress; the incident is not a hoax; there was c-suite participation in the ransomware payment decision; the insurance company approved of the ransomware payment plan; and the ransomware attack was reported to law enforcement.
Making an insurance reimbursement claim for a Bitcoin payment is also tricky, even with respect to valuation and execution. Challenges include proving to an insurance company: that a Bitcoin payment was made; that a Bitcoin payment was for a particular amount of U.S. dollars; and that a Bitcoin transaction was documented in an acceptable and verifiable manner.
Thus, a ransomware victim company may have to engage a professional intermediary to pay the attackers, and then seek reimbursement for the fees paid to the digital intermediary. Otherwise, an insurer might have no way to audit a process involving Bitcoin and therefore refuse to recompense Bitcoin payments. Cyber insurance might also not cover the full amount of the ransomware or may have in place a high deductible amount (for large organizations the deductible could be $500,000 or as high as $5 million).
Without a specific ransomware cyber insurance policy, a victim company would have to look to the breadth of their professional liability and other insurance policies, which can give rise to ambiguities and disputes. For example, the presence of any sort of terrorism exclusion can become problematic. For instance, insurance policies may have “acts of foreign enemies” or “government acts” exclusions that can limit reimbursement if the ransomware was distributed by cyber-attackers tied to a foreign government;
In addition, whether a ransomware victim company must show “physical damage” can also become an issue. In the typical ransomware scenario, a victim company’s data is not actually damaged but is rather, “locked.” An insurance company may argue that like other cyber-attacks, where a victim’s data was accessed, but not otherwise disturbed, altered or exfiltrated, then the victim has no insurance claim; and
Some companies who do not have cyber insurance, may turn to their kidnap insurance for coverage relating to ransomware attacks. Kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas of danger, such as where violence related to oil and mining operations is common (like parts of Africa and Latin America).
K&R policies, which typically do not have deductibles, can cover the ransom payments as well as crisis response services, including getting in touch with criminal and regulatory authorities. Whether K&R coverage, which was not designed for ransomware, will cover ransomware costs and expenses will always be a matter of the specific policies involved.
To get the most out of cyber coverage for ransomware attacks, companies should work closely with their brokers, their insurers, their outside counsel and their own internal experts and executives to fully understand their particular ransomware risks. For now, the most effective cyber insurance policies are bespoke, and given the rapidly evolving nature of cyber-attacks, will continue to require custom-tailored fitting for quite some time.
Just like other kinds of insurance, ransomware coverage by itself will rarely be enough to make a company whole after a cyber-attack, but it can provide critical financial resources. Moreover, when coupled with a thoughtful and diligent incident response, a sound ransomware insurance policy can send a powerful message of strong business acumen; fierce customer dedication; and steadfast corporate governance, demonstrating profound expertise to the marketplace, shareholders, regulators and the many other interested corporate stakeholders.
Final Thoughts
When confronted with a ransomware attack, the options all seem bleak. Pay the hackers – and the victim may not only prompt future attacks, but there is also no guarantee that the hackers will restore a victim’s dataset. Ignore the hackers – and the victim may incur significant financial damage or even find themselves out of business. The only guarantees during a ransomware attack are the fear, uncertainty and dread inevitably experienced by the victim.
Even under the best-case scenario, where a victim has maintained archives and can keep their business alive, the victim companies will incur significant remedial costs, business disruptions and exhaustive management drag. Moreover, having a back-up storage solution in place is not always ideal; not only can outside storage of data create additional cybersecurity risks, but sometimes data archives are more like the proverbial roach motel, where data checks in but it can’t check out.
No doubt that the ease, anonymity and speed of crypto-currency payments such as Bitcoin, has revolutionized the ransomware industry, prompting its extraordinary growth. Bitcoin not only makes it simpler to remain anonymous, but also enables a nameless payment mechanism where the extorted funds can be immediately transferred into criminal hands.
Transactions in crypto-currencies like Bitcoin lack a discernable audit trail and operate outside of regulated financial networks and are alarmingly unregulated. There is no central issuer of Bitcoins, nor a Federal Reserve of Bitcoins monitoring and tracking transactions or controlling their value. In short, government surveillance and regulation of cryptocurrency is virtually nonexistent (no pun intended) and so long as crypto-currency payment schemes exist, ransomware attacks and iterations will likely continue to thrive.
Though too early to tell, there may emerge some form of Bitcoin regulation via Executive Order No. 13,694 (April, 2015), which expands sanctions to include “blocking” the property of persons engaging in “Significant Malicious Cyber-Enabled Activities.” The order declares a “national emergency” to deal with cyber-enabled threats and extends to the assets of those who “have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any [malicious cyber-enabled activities].”
Given that ransomware Bitcoin payments are made to cyber criminals, per Executive Order 13,694, the U.S. Secretary of the Treasury, the U.S. Attorney General and/or the U.S. Secretary of State could freeze or “block” assets of any participant in the Bitcoin financial chain. Such dramatic government intervention could discourage the purveyors of ransomware attacks, who depend upon Bitcoin for receiving payments.
The government could also take additional steps to combat ransomware such as:
Providing financial incentives for private investment in ransomware prevention and remediation technologies;
Speaking more boldly discouraging ransomware payments that monetize crime, perhaps via the Financial Crimes Enforcement Network (FinCen) or via a task force of state and federal law enforcement agencies; or
Creating new legal penalties for ransomware payments in a manner similar to the FCPA, rendering the option of paying ransom costlier, thus nudging firms toward choosing greater security.
But these government measures are theoretical and even if implemented, might still not sojourn the dramatic growth of ransomware. The reality is that when it comes to ransomware attacks, the government seems idle and relatively powerless, which means ransomware victims are unfortunately on their own. So what should companies do to manage the increasing risk of the current ransomware crime wave?
As would probably be preached by Thomas Clayton (or Russell Crowe), companies struggling with ransomware threats should apply the same lessons to ransomware protection that Clayton uses for employee protection: Be prepared (e.g. deploy back-ups and the like); Be thoughtful (e.g. use professionals to implement preemptive measures and help handle the response); and Be vigilant (e.g. never underestimate the impact of ransomware and never take the threat lightly).
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook,” available as an eBook on Amazon, iBooks and other booksellers.
The post Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance appeared first on The D&O Diary.
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance published first on http://ift.tt/2kTPCwo
0 notes
Text
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance
John Stark Reed
Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.
I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
****************************
In the 2000 American thriller film Proof of Life, the title refers to a phrase commonly used to indicate proof that a kidnap victim is still alive. As an expert negotiator in kidnapping cases, Terry Thorne, played by Russell Crowe, is engaged to bargain for a corporate kidnap victim’s safe return.
The film Proof of Life is not just a compelling narrative – its premise and main character also provide some useful insights into managing the emerging threat of ransomware. Ransomware, a special and more nascent type of malware, prevents or limits users from accessing their data, by locking system screens or user files, unless and until a ransom is paid.
Proof of Life’s screenplay was partly inspired by Thomas Hargrove’s book The Long March to Freedom, which recounts how the release of the once-kidnapped Hargrove was negotiated by Thomas Clayton, the founder of his eponymous kidnap-for-ransom consultancy Clayton Consultants (now part of risk management firm, Triple Canopy).
Just like Clayton Consultants, the team advising a ransomware victim company, whether a hospital or global corporate conglomerate, must employ a thoughtful, careful and methodical protocol to survive the ransomware crisis. Like any hostage situation, when a cyber-attacker locks up critical data files, the logistics and legalities of ransomware refusal, acquiescence or capitulation can be both elaborate and complicated.
To make matters worse, seeking law enforcement help for a ransomware attack unfortunately remains a very limited option. First, law enforcement has become inundated with ransomware reports and lacks the resources and wherewithal to assist victims. Second, most of the ransomware attackers are overseas, where merely obtaining an electronic evidence or interviewing a witness, let alone successful extradition and prosecution, are rarely possible. Finally, ransomware demands are often at monetary levels in the hundreds or thousands of dollars – too small to warrant federal law enforcement consideration while clearly outside of the jurisdiction of local law enforcement.
Thus, it should come as no surprise that a significant number of ransomware victims opt to pay the ransom. When padlocked files are business-critical (e.g. an important intellectual property formula); when encryption cannot be defeated (no matter how good the code-breaker) or when time is of the essence (e.g. when patient data is needed for life-saving surgery), paying the ransom can become the proverbial best worst option. Moreover, the typically de minimus ransomware payment demands (on average, about $679) are more akin to a financial nuisance than a material fiscal line-item, so from a cost-benefit perspective, payment can make the most sense.
Under any circumstance, ransomware has quickly become a novel, multifaceted and emerging risk to all corporate enterprises, and like any other material risk, should be addressed and mitigated in a reasonable, lawful, robust and effective manner.
This article provides guidance on the legal issues, logistical considerations and financial implications when managing ransomware threats, including an exposition of the unique issues which can arise when seeking proof of life and opting to meet the monetary demands of ransomware attacker.
What is Ransomware?
Ransomware is a type of malicious software that infects a computer and restricts users’ access to certain data, systems and/or files until a ransom is paid. Ransomware can come in many forms and iterations and like any other virus or infection, ransomware can evolve and transmogrify to counter cyber-defenses and remediation. Although only a fraction of ransomware attacks are actually reported to federal authorities, the U.S. Department of Justice reports over 4,000 ransomware attacks occur daily.
A ransomware victim company’s files are rarely exfiltrated by a ransomware attacker, rather the attacker encrypts the files so a victim company cannot access them. Then the hacker offers to sell the encryption key to the victim, typically payable in an anonymizing online crypto-currency such as Bitcoin. The usual ransomware demand comes with a deadline — after which time, the ransomware attacker threatens that the key will be destroyed or will expire, rendering the kidnapped files forever inaccessible. In many cases the ransom note that hijacks the victim’s screen is accompanied by a digital clock ominously ticking down the minutes and seconds from 72 hours. When the timer expires, the ransom demand usually goes up or even doubles – or the data is permanently locked and henceforth unrecoverable.
Bitcoin and other convertible crypto-currencies have become the keystone to current ransomware schemes, rendering the transactions practically untraceable and well suited for criminal transactions. Unlike the sequence of events during to a common kidnapping scenario, where the exchange of money arguably places criminals in their most vulnerable position, virtual kidnapping of ransomware actually facilitates anonymity throughout the Bitcoin transaction process.
Ransomware Growth
According to a recent study by IBM, spam emails loaded with ransomware increased 6,000 percent in 2016 compared with 2015, comprising almost 40 percent of all spam messages in 2016. Another report, from cybersecurity firm Symantec, cited 460,000 ransomware attempts in 2016, up 36% from 2015, with the average payment demand ballooning from $294 to $1,077, a 266% increase. Ransomware attacks have grown almost exponentially for several reasons:
The ransomware business model works, with the FBI stating that ransomware is on pace to become a one billion dollar source of income for cybercriminals in 2017;
Ransomware start-up costs are cheap. Ransomware software is readily and easily available – and is extraordinarily inexpensive. Ransomware is available for rent; for purchase or even in kits for building. Indeed, 60 percent of the Internet’s top sites sell ransomware; and
Ransomware schemes are typically successful. One recent study found that 70 percent of business victims paid the hackers to get their data back. Of those who paid, 50 percent paid more than $10,000 and 20 percent paid more than $40,000.
Ransomware attacks target the most vulnerable part of a company’s computer networks: people. The primary attack vector for ransomware is an employee who has clicked on a file or a linked he or she should not have clicked. That employee may be:
An accidental insider (e.g. an inattentive employee infiltrated due to inadvertent behaviors or broken business processes);
A compromised insider (e.g. a targeted employee via social engineering and infiltrated due to malware infections or stolen credentials); or
A malicious insider (e.g. a so-called bad leaver or criminal insider who infiltrate via corporate espionage and sabotage).
Ransomware is sometimes embedded in seemingly legitimate downloads such as software updates or resume files. Fake Adobe Flash updates are a notorious Trojan horse for delivering ransomware because Flash is such a ubiquitous add-on to most Internet browsers. Once inside a network, some ransomware can seed itself to additional computers or other devices via SMS messages or a user’s contact list.
What makes ransomware countermeasures challenging is the evolution of ransomware variants. There has been a tremendous increase in ransomware strains – reaching almost epidemic proportions. Indeed, new ransomware strains are now being created to tap into the mobile user base, which can impact both personal and business information, already dramatically expanding the ransomware threat landscape, diversifying and expanding their platforms, capabilities and techniques in order to accrue more targets.
Per recent reports, in the third quarter of 2011, about 60,000 new variants of ransomware were detected. That number doubled to over 200,000 in 2012; quadrupling to over 700,000 variants from 2014, to the first quarter of 2015. In the first quarter of 2016, security firm Kaspersky Lab revealed 2,900 new “modifications” of existing ransomware, a 14% increase from the last quarter, and a 30% increase from the previous quarter.
As the Internet of Things begins to establish a foothold in daily life, ransomware growth seems poised to become more severe and more widespread. Market forecaster Gartner expects 6.4 billion connected devices will surround us in the home and workplace this year, a $30 billion market by the year 2020. This growing network of Internet-connected household devices, from Samsung refrigerators to Nest thermostats, will undoubtedly render individuals and corporations increasingly vulnerable to ransomware attacks.
Recent Ransomware Attacks
While ransomware has beleaguered victim companies for much of the last decade, a recent global spate of ransomware attacks has prompted intense media coverage and worldwide apprehension and concern.
For instance, in April 2017, a ransomware group known as Shadow Brokers coopted a ransomware exploit (nicknamed Eternal Blue) from the U.S. National Security Agency, and took advantage of a Windows vulnerability, targeting a wave of hospitals. The ransomware extortion demands impacted more than just corporate operations and secrets; suddenly, a cyber-attack impacted the lives of sick hospital patients, prompting an almost international hysteria.
The vulnerability, patchable for new Microsoft systems but not necessarily for older systems upon which many hospitals were running, was dubbed “WannaCry” or “WannaCrypt” ransomware, and according to Europol, claimed over 200,000 victims in over 150 countries.
Similarly, in late June 2017, another strain of ransomware hit at least six countries, including and primarily Ukraine, where it was blamed for a large and coordinated attack on key parts of the nation’s infrastructure, from government agencies and electric grids to stores and banks. According to Microsoft, this outbreak, referred to as NotPetya – aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya and Diskcoder.C – resulted in “a less widespread attack” than WannaCry, aka WannaCrypt.
As a result of NotPetya ransomware, A.T.M.’s in the Ukraine apparently stopped working; workers were forced to manually monitor radiation at the old Chernobyl nuclear plant when their computers failed; and data security personnel at companies around the world — from Maersk, the Danish shipping conglomerate, to Merck, the drug giant in the United States — were reportedly scrambling to respond. Even an Australian factory for the chocolate giant Cadbury was affected.
Though more sophisticated than WannaCry and employing the same Eternal Blue server message block exploit, NotPetya’s global impact was reportedly blunted by its own limited attack capabilities (e.g. by a default setting, the infected system reboots after 60 minutes, and the malware does not persist after the reboot). “This means that the threat can only do lateral movement and exploitation of other machines during this limited time,” Microsoft says. “This reduced the reach of the attack.”
Law Enforcement and Ransomware: The Official View
The official line from federal law enforcement with respect to Ransomware is: Report the Incident and Don’t Pay. Specifically, the FBI warns:
“The FBI doesn’t support paying a ransom in response to a ransomware attack . . . Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. [B]y paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The FBI also warns that paying ransomware does not guarantee that a victim company will obtain from the attacker a working key to rescue their data. The FBI is aware of cases where either the attackers fail to hand over the correct decryption key or are unwilling to comply with the original ransomware demands after payment is received. According to Trend Micro research, nearly 33 percent of firms that pay the ransom when attacked by ransomware fail to get their data back. The FBI also urges ransomware victims to report ransomware attacks immediately and seek help from the FBI in handling the situation.
Along similar lines, during an emergency meeting to address the WannaCry ransomware attacks, Tom Bossert, Homeland Security Advisor to President Donald Trump, discussed the perils of ransomware payment, and warned that victims could still lose access to files even after making a payment:
“Well, the U.S. government doesn’t make a recommendation on paying ransom, but I would provide a strong caution. You’re dealing with people who are obviously not scrupulous, so making a payment does not mean you are going to get your data back.”
Law Enforcement and Ransomware: The Unofficial View
In some public settings, the FBI has warned that, without paying a ransom, victim companies may not be able to unlock their kidnapped data from ransomware attackers who use Cryptolocker, Cryptowall and other potent malware strains.
“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people to just pay the ransom . . . The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”
Indeed, the Ponemon Institute reported in a 2016 study that 48% of businesses victimized by ransomware paid the ransom (average ransomware payment being $2,500), while a similar IBM Security study found that 70 percent of business victims paid the ransom during that same period.
Even some law enforcement officials themselves have decided to cut their losses by paying off the purveyors of ransomware. For instance, in the Massachusetts townships of Tewksbury and Swansea, ransomware attackers made off with $500 and $750 bounties, respectively. Elsewhere, police departments in the Chicago suburbs of Midlothian and Dickson County, Tenn., also paid ransom amounts to ransomware attackers. That even law enforcement officials have opted to cut their losses by succumbing to, and paying off, ransomware attackers demonstrates how oddly commonplace ransomware payments have become.
Counsel as Quarterback for Ransomware Response
Ransomware is a crime, has significant regulatory implications and can involve important legal responsibilities and liabilities. At a minimum, ransomware schemes run afoul of the federal computer crime statute, 18 U.S.C. § 1030, and particularly subsection (a)(7), which forbids hacking intended to extort something of value from the victim.
Above all else, the legal ramifications of any ransomware incident or failure can be calamitous for any public or private company. Even the most traditional realms of IT dominion such as exfiltration analysis, malware reverse engineering, digital forensics, logging review and most technological remediation measures are rife with legal and compliance issues and a myriad of potential conflicts.
For instance, after a cybersecurity incident such as a ransomware attack, law enforcement, regulators, vendors, partners, insurers, customers and others may:
Request forensic images of impacted systems;
Demand copies of indicators of compromise;
Mandate that their own auditors or examiners visit sites of infiltration and conduct their own audit and investigation;
Want to participate in remediation planning;
Seek interviews and interactions with IT personnel;
Require briefings from a victim company’s forensic experts and data security engineers; or
Ask to attach a recording appliance to a victim company’s network in hope of capturing traces of attacker activity, should an attacker return.
These requests raise a host of legal issues, including how exactly to respond to each request and whether any response would violate the privacy of customers; be at odds with commercial agreements; result in a waiver of the attorney-client or work product privileges; or have any other legal/compliance consequences.
Because so many incident response issues are critical to the very survival of a company, who else but the GC can oversee and direct investigative workflow, commanding the investigation and remediation for the C-suite, sharing with senior management the ultimate responsibility for key decisions, while having the responsibility and duty of reporting to the company’s board.
Ransomware and the Attorney-Client Privilege
Attorney involvement, awareness, leadership, and direction are not the only essentials for managing the quagmire of legal issues arising during a ransomware response. GC involvement also triggers the protections afforded by the attorney-client and work product privileges, a critical component in the response to data security incidents.
The involvement and direction of counsel in the context of any investigation will presumably apply to the work product produced not only directly by the legal team members but also by the outside advisors, including the digital forensic investigators engaged by internal or outside counsel.
This is standard practice in the context of any other type of investigation – a cyber incident is no different. There is nothing nefarious or extraordinary about this approach, it is a time-honored and tested standard operating procedure. The involvement of counsel establishes a single point of coordination and a designated information collection point.
Counsel as quarterback of ransomware response also enhances visibility into the facts, improves the ability to pursue appropriate leads and, most importantly, ensures the accuracy and completeness of information before it is communicated to external audiences. Otherwise, incomplete and/or inaccurate information could be released, only to have to later be corrected or even retracted.
Ransomware Notification Requirements
Although typically involving locking up data (rather than accessing, targeting or exfiltrating data), a ransomware attack could still be deemed the type of data security incident which triggers a legal notification requirement, including notice to:
State regulators (per state privacy statutes, rules and regulations);
Shareholders (per SEC disclosure obligations);
Vendors, partners and other entities (Many companies now incorporate rigorous cybersecurity notification requirements into their contracts, which can trigger when a victim company experiences a ransomware attack.);
Insurance carriers (especially if a victim company plans to make an insurance claim, relating to the ransomware attack);
Customers (when the data of a customer, such as a hospital patient, is impacted by a ransomware attack, a victim company may have very specific legal obligations to notify that customer); and
Any other constituency who may have a vested interest in a victim-company.
With respect to state regulatory notifications there is some grey area worthy of mention. In the United States, 52 jurisdictions (including 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) have enacted some version of a data breach notification law. Under these laws, notification may be required for any customer whose personally identifiable information (PII) was acquired or accessed, or reasonably likely to have been acquired or accessed. While most states require some form of notice to their residents of a data breach, depending on applicable legal standards, some states also require notification to public agencies, such as the state attorney general.
The threshold issue is a technological one – probably best determined by a digital forensics expert and couched in legal terms. For instance, if the data is encrypted or otherwise “locked” through an automated process, companies could argue that the data was never accessed by an unauthorized party, which is the standard that typically triggers state breach notification laws.
On the other hand, though the mere encryption of data may not trigger the notification rules, the viewing, copying, relocating and altering of information can. Digital forensics and malware reverse engineering can provide some clue with respect to the impact of a ransomware attack and help assess some of the lesser state thresholds (such as in states like Connecticut, Florida, Kansas, Louisiana and New Jersey) where the definition of a breach also includes accessing of protected health information.
With respect to some of the more onerous and specific federal notification rules, such as under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), digital forensics analysis can also provide critical information relating to disclosure requirements. For instance, HHS rules generally state that hospitals need only report attacks that result in the exposure of private medical or financial information, such as malware that steals data. Whether ransomware’s data encryption crosses that legal threshold can be challenging to determine, which is why ransomware attacks and other data security incidents at health care organizations often go unreported.
In addition, under the new EU General Data Protection Regulation, effective May 25, 2018, there is a requirement to notify the supervisory authorities without undue delay (no later than 72 hours) after becoming aware of a data breach, unless it is unlikely to cause a risk to the affected individuals. The fines for violating this regulation are significant—up to 4% of global annual turnover or €20 million (whichever is the higher), so any late notification will need to be justified.
Ransomware Investigative Tactics
While determining the bona fides of a ransomware strain is always challenging, an experienced digital forensic examiner can find some answers by searching for some of the more typical cyber-indicators. Ransomware malware is characteristically a type of tool, which is not only known to most professionals, but may even be readily available for purchase online. If the name and modus operandi of the ransomware is new or otherwise unknown, rather than a victim firm being “patient zero,” the ransomware may turn out to be bogus.
Digital forensic experts can also research the Bitcoin payment address; the malware message; any relevant phishing emails; and any other of the ransomware’s characteristics in data security research forums and internal archives, to analyze recent commentary about the ransomware and test its efficacy and validity.
There are also a range of digital forensics tests to initiate upon an infected file to assess a ransomware strain’s actual efficacy. For instance, one simple test is to return the file name to its original form. Real ransomware changes the file extension of encrypted files. The Ransomware files may not be encrypted but just renamed to provide the illusion of encryption to cajole a ransom payment. A digital forensics expert can also investigate the severity of the attack; reverse-engineer the malware that has taken control of victim data; and attempt a full-fledged data recovery.
Ransomware Payment
In cases where a particular ransomware attack cannot be fully mitigated, an experienced digital forensics firm can broker and validate a solution that minimizes the cost of recovery and prevents further extortion from the attacker.
Paying off the ransomware attackers typically entails: 1) sending the secret ransomware key file now stored on the victim’s computer; 2) uploading that file (or data string) to the attackers together with a Bitcoin payment; and 3) awaiting a decryption key or a tool a victim can use to undo the encryption on the victim company files. This is a complex and challenging process.
First off, a digital forensics firm can help a ransomware victim navigate the maze of setting up an account to handle Bitcoin, getting it funded, and figuring out how to pay other people with it. A digital forensics examiner may even be able to construct a payment scheme where rendering ransomware payments is conditional. By using cryptocurrency features to ensure that ransomware attackers cannot receive their payment unless they deliver a key, there can exist some added level of security and reliability upon the transaction. One ransomware response expert, notes:
“ . . A ransomware developer could easily perform payment via a smart contract script (in a system like Ethereum) that guarantees the following property. This payment will be delivered to the ransomware operator if and only if the ransomware author unlocks it — by posting the ransomware decryption key to the same blockchain.”
Ransomware attackers may portray the entire ransomware payment process as more akin to an ordinary business transaction than an international extortion scheme. In fact, some recent ransomware attackers purportedly even offer a victim company a discount if the victim company transmits the infection to other companies, just like referral programs of Uber or Lyft.
However, while a ransomware payment process may seem straightforward and rudimentary, the reality is far more complicated and rife with challenges. No ransomware payment process can guarantee that the ransomware attacker will provide a decryption key. The ransomware scheme may be nothing more than a social engineering ruse, more like an old fashioned Nigerian Internet scam than a malware infection – and the payment could end up being all for naught.
Indeed, ransomware attackers may no longer have the encryption key or may just opt to take a ransom payment, infect a company’s system, and flee the crime scene entirely. Not only is the system of paying in untraceable Bitcoin risky, but the transaction in its entirety is so risky, it hardly seems palatable. Nonetheless, the number of victim companies that pay ransomware demands continues to grow at an alarming rate.
The Legalities of Ransomware Payment
Though the FBI has hinted at the possible illegality of paying a ransomware demand, the FBI has never specifically stated that the payer could actually be charged with a crime. It would seem rather obvious that with respect to any criminal statute, actions taken under duress do not ordinarily constitute a crime. Moreover, the ransomware attacker possesses the criminal intent, not the victim who agrees to pay. However, there is little specific legal authority on the subject of payment and negotiation with ransomware attackers, so the legalities of payment are worthy of some analysis.
In general, legal commentary and case law regarding ransom payments is limited. However, in a germane 2011 British case, Masefield AG v Amlin Corporate Member Ltd (The Bunga Melati Dua), relating to maritime piracy and ransom demands for safe return of the vessel and crew, the court faced a somewhat analogous scenario. Specifically, the British Court of Appeal held that there was no general public policy argument against paying ransoms, stating that:
“…there is no universal morality against the payment of ransom, the act not of the aggressor but of the victim of piratical threats, performed in order to save property and the liberty or life of hostages. There is no evidence before the court of such payments being illegal anywhere in the world. This is despite the realization that the payment of ransom, whatever it might achieve in terms of the rescue of hostages and property, itself encourages the incidence of piracy for the purposes of exacting more ransoms. (Perhaps it should be said that the pirates are not classified as terrorists. It may be that the position with regard to terrorists is different).”
Though addressing hostage ransoms, and not ransomware, former President Barak Obama provided a similar message in his Statement by the President on the U.S. Government’s Hostage Policy Review (June 24, 2015):
“I firmly believe that the United States government paying ransom to terrorists’ risks endangering more Americans and funding the very terrorism that we’re trying to stop. And so I firmly believe that our policy ultimately puts fewer Americans at risk. At the same time, we are clarifying that our policy does not prevent communication with hostage-takers — by our government, the families of hostages, or third parties who help these families . . . In particular, I want to point out that no family of an American hostage has ever been prosecuted for paying a ransom for the return of their loved ones. The last thing that we should ever do is to add to a family’s pain with threats like that.”
Ransomware and the FCPA
The Foreign Corrupt Practices Act of 1977 (FCPA) prohibits payments to foreign government officials to assist in obtaining or retaining business or directing business to any person. Laws such as the FCPA reflect an alternative approach to deterring bribes, by penalizing those on the payment side of the transaction.
Specifically, the FCPA prohibits giving something of value for the purpose of: “(i) influencing any act or decision of [a] foreign official in his official capacity, (ii) inducing such foreign official to do or omit any act in violation of the lawful duty of such official, or (iii) securing any improper advantage … to obtain or retain business for or with … any person.” The law provides an affirmative defense for payments that are “lawful under the written laws and regulations” of the country.
Given the FCPA threshold requirement that a payment must be made to assist in obtaining or retaining business for the individual or company or directing that business to another person, a ransomware scenario does not appear to trigger the FCPA.
However, FCPA’s enforcement can provide a useful analogy when considering the legalities of paying a ransomware demand. U.S. companies often face extortionate demands from foreign police, bureaucrats, and regulators, who threaten to hold, expel, or even harm employees if ransoms are not paid. And there have always been questions whether those involuntary payments can violate the FCPA. The DOJ-SEC Guidance on FCPA addresses this issue, stating:
“Does the FCPA Apply to Cases of Extortion or Duress? Situations involving extortion or duress will not give rise to FCPA liability because a payment made in response to true extortionate demands under imminent threat of physical harm cannot be said to have been made with corrupt intent or for the purpose of obtaining or retaining business.”
This notion, that under FCPA an individual is not guilty of a criminal offense when forced to do so by duress or extortion, is confirmed in United States v. Kozeny, 582 F.Supp.2d 535, 540 (S.D.N.Y. 2008). Specifically, in the Kozeny decision, the United States District Court for the Southern District of New York ruled that extortion or duress under the threat of imminent physical harm would excuses the conduct (essentially negating a corrupt intent), stating:
“ . . . while the FCPA would apply to a situation in which a “payment [is] demanded on the part of a government official as a price for gaining entry into a market or to obtain a contract,” it would not apply to one in which payment is made to an official “to keep an oil rig from being dynamited,” an example of “true extortion.” The reason is that in the former situation, the bribe payer cannot argue that he lacked the intent to bribe the official because he made the “conscious decision” to pay the official. In other words, in the first example, the payer could have turned his back and walked away—in the latter example, he could not.”
Whether the “economic duress” of a typical ransomware attack would rise to the level of “true extortion” as described in the Kozeny decision remains untested, and might be viewed as insufficient to excuse conduct from sanctions under the FCPA.
The FCPA could also potentially apply in ransomware scenarios where the cyber-criminal has a known connection to a foreign government. While the concealed identity of cyber-criminals involved in ransomware attacks likely prevents a payer from knowing that a payment violates the FCPA, the issue could still arise when a digital forensic expert identifies a ransomware attacker’s modus operandi to be that of a state sponsored organization (e.g. from Russia, North Korea or Iran).
Foreign Sanctions and Ransomware
Like the FCPA, international sanctions regimes are also designed to prevent payments to certain designated payees, institutions, and countries who are enemies of the U.S, such as terrorists and terrorist organizations. In the United States, the Treasury’s Office of Foreign Asset Controls (OFAC) supervises these programs, such as the Trading with the Enemy Act and the International Emergency Economic Powers Act (IEEPA).
Under these Acts, ransom payments (whether directly or indirectly through an intermediary) to Foreign Terrorist Organizations (FTOs) or Specially Designated Global Terrorists (SDGTs) identified by OFAC, are illegal under U.S. law. Monetary contributions to FTOs are considered material support under 18 U.S.C. 2339B, while transfers to SDGTs are violations of economic sanctions imposed pursuant to the IEEPA.
For example, in a February 2017 cyber-attack against the British National Health System, the attackers appeared to be ISIS and in particular, the Tunisian Falange Team, which posted graphics and pictures decrying at the war in Syria. Whether a similar attack against a U.S. hospital, with a similar evidentiary trail indicating terrorist attribution, would trigger the limitations imposed OFAC is unclear and untested. However, any digital forensic findings of a ransomware attack indicating terrorist attribution or involvement is certainly worthy of consideration when contemplating a ransomware payment.
Ransomware and Conspiracy
Whether a payer of a ransomware demand can be held to have entered into a conspiracy with the ransomware attacker seems unlikely and contrary to the public interest. A conspiracy is an agreement with another that a criminal course of conduct is to be pursued. Ransomware payments do not appear to be the kind of agreements contemplated by conspiracy statutes, but instead are forced arrangements dictated by a ransomware attacker.
However, other profiting and culpable participants in the Bitcoin payment scheme to pay a ransomware attacker might find themselves facing criminal penalties. Anthony Murgio, who recently pled guilty to operating as a money transmitter without a license in 2015, was also charged with violating Title 18 U.S.C., Section 1030(a)(7) and sentenced to 5 ½ years in prison. Federal prosecutors alleged that Murgio and his co-conspirators benefitted from transactions providing victims with Bitcoin to pay off ransomware demands. The Murgio indictment states:
“As part of the unlawful Coin.mx scheme, Anthony P. Murgio, the defendant, and his co-conspirators knowingly processed and profited from numerous Bitcoin transactions conducted on behalf of victims of ransomware schemes…By knowingly permitting ransomware victims to exchange currency for Bitcoins through Coin.mx, Murgio and his co-conspirators facilitated the transfer of ransom proceeds to the malware operators while generating revenue for Coin.mx.”
Unlike a ransomware payer, Murgio was a part of the payment process and clearly facilitated the ransomware transactions with unclean hands – possessing the kind of felonious intent required for money laundering criminal liability. Crypto-currency sellers or exchange operators may be caught up in legal trouble if: they have avoided or neglected reporting requirements or have not registered as a money transmission business (like Murgio), or, if they were criminally complicit with the ransomware attackers.
The distinction seems clear: if a Bitcoin seller actively aided and abetted a ransomware attacker, knowingly profiting from the scheme, the Bitcoin seller could be criminally liable. However, if a digital forensics firm made Bitcoin available to a client and provided technical advice as to how to pay in Bitcoin, then, like Thomas Clayton in Proof of Life, criminal liability seems wholly inappropriate.
Ransomware: To Pay or Not To Pay
For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, does not appear to break any laws – and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination — almost like a cost-benefit analysis.
The arguments for rendering a ransomware payment include:
Payment is the least costly option;
Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up);
Payment can avoid being fined for losing important data;
Payment means not losing highly confidential information; and
Payment may mean not going public with the data breach.
The arguments against rendering a ransomware payment include:
Payment does not guarantee that the right encryption keys with the proper decryption algorithms will be provided;
Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime;
Payment can do damage to a corporate brand;
Payment may not stop the ransomware attacker from returning;
If victims stopped making ransomware payments, the ransomware revenue stream would stop and ransomware attackers would have to move on to perpetrating another scheme; and
Using Bitcoin to pay a ransomware attacker can put organizations at risk. Most victims must buy Bitcoin on entirely unregulated and free-wheeling exchanges that can also be hacked, leaving buyers’ bank account information stored on these exchanges vulnerable.
Ransomware Remediation
There are a slew of basic steps companies should take as preemptive measures to avoid falling prey to ransomware, including backing up systems and employing the latest cybersecurity measures. Other measures include:
Updating operating systems, software patching, antivirus programs and firewalls;
Taking steps to detect and block ransomware through firewalls and intrusion detection monitoring, including setting alerts for anomalous behavior;
Revisiting backup protocols to ensure that a crypto-attack is classified as a potential disaster with appropriate contingency plans;
Enabling popup blockers;
Employing IT professionals or consultants familiar with ransomware, who stays current with evolving iterations and variants; and
Implementing a strong password policy requiring all users to regularly change passwords and require more complex passwords, i.e. mixture of lower and uppercase letters, numbers, and symbols;
Reviewing and auditing all network permissions in your network while updating and deactivating all user accounts regularly, including departing employees;
Rigorous employee education and outreach;
Securing long and short-term backups, stored in a manner detached from a company’s network;
Intense screening of partners and vendors to ensure strong security procedures from associated third parties;
Thoughtfully and securely segmenting sensitive user and corporate data within a corporate network; and
Changing network and Wi-Fi passwords regularly.
Along the same lines, the FBI urges organizations to be vigilant keeping browsers, operating systems and third-party application patch levels up to date, and that antivirus protection is also current. The FBI also suggests companies back up often, lock down access granted to individuals and manage configuration of file systems, directories and network shares appropriately.
By setting snares and “honeypots” for would-be ransomware attackers, companies can go so far as to employ drastic and direct preemptive measures. For example, Deception Technology sets its trademarked HackTraps to misdirect ransomware attackers and prevent them from going deeper into a corporate network and reaching their intended target. These traps can be as simple as a document with a deceiving title that was created exclusively to lure in the cybercriminals.
A digital forensic expert can also help a victim company develop and implement a containment plan to isolate any additional infections and provide strategic recommendations to prevent further ransomware attacks and otherwise mitigate their impact.
It may be hard to believe, but when handled correctly, a customer data compromise or data security incident like a ransomware attack can actually become the kind of successful failure that not only prompts remediation that strengthens technological infrastructure, but also reinforces a firm’s commitment and focus upon its customers, partners and other fiduciaries.
Ransomware and Business Continuity Plans
The critical importance of a business continuity plan in the event of a natural disaster is widely recognized and accepted. Yet, too often, such plans are not evaluated in the context of assessing cybersecurity risks such as ransomware.
Even when an organization’s IT cybersecurity response fully aligns to IT best practices, there are benefits in utilizing or integrating IT’s response into the existing business continuity structure, rather than having two separate response models. Speed and agility are key enablers in ransomware response, and business continuity enables nimble, rapid response limiting financial and reputational impact on the enterprise.
A powerful business continuity plan, which is properly integrated with an incident response plan, contemplates the threat of ransomware and plans for data recovery, such as with specialized back-up data systems that are routinely tested and updated as necessary.
Ransomware and Cyber Insurance
Like any other corporate risk, companies are beginning to realize that the financial, operational and even reputational risks of a ransomware attack can be addressed via a comprehensive and targeted cyber insurance policy. Over 60 insurance companies now offer cyber insurance, many containing specific provisions addressing ransomware. In 2015, ransomware accounted for just over 10% of cyber insurance claims, but in 2016 that figure grew to 25%.
Currently, most cyber insurance policies are modular, which means an organization chooses from a menu of coverage options, such as business interruption, third party liability for privacy breaches and first party coverage for an organization’s own costs to detect, stop, investigate and remediate a network security incident.
Ransomware typically falls under “first party” liabilities as cyber extortion and network interruption. When making a cyber insurance claim for ransomware, a victim company should be prepared to demonstrate that: the ransom has been surrendered under duress; the incident is not a hoax; there was c-suite participation in the ransomware payment decision; the insurance company approved of the ransomware payment plan; and the ransomware attack was reported to law enforcement.
Making an insurance reimbursement claim for a Bitcoin payment is also tricky, even with respect to valuation and execution. Challenges include proving to an insurance company: that a Bitcoin payment was made; that a Bitcoin payment was for a particular amount of U.S. dollars; and that a Bitcoin transaction was documented in an acceptable and verifiable manner.
Thus, a ransomware victim company may have to engage a professional intermediary to pay the attackers, and then seek reimbursement for the fees paid to the digital intermediary. Otherwise, an insurer might have no way to audit a process involving Bitcoin and therefore refuse to recompense Bitcoin payments. Cyber insurance might also not cover the full amount of the ransomware or may have in place a high deductible amount (for large organizations the deductible could be $500,000 or as high as $5 million).
Without a specific ransomware cyber insurance policy, a victim company would have to look to the breadth of their professional liability and other insurance policies, which can give rise to ambiguities and disputes. For example, the presence of any sort of terrorism exclusion can become problematic. For instance, insurance policies may have “acts of foreign enemies” or “government acts” exclusions that can limit reimbursement if the ransomware was distributed by cyber-attackers tied to a foreign government;
In addition, whether a ransomware victim company must show “physical damage” can also become an issue. In the typical ransomware scenario, a victim company’s data is not actually damaged but is rather, “locked.” An insurance company may argue that like other cyber-attacks, where a victim’s data was accessed, but not otherwise disturbed, altered or exfiltrated, then the victim has no insurance claim; and
Some companies who do not have cyber insurance, may turn to their kidnap insurance for coverage relating to ransomware attacks. Kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas of danger, such as where violence related to oil and mining operations is common (like parts of Africa and Latin America).
K&R policies, which typically do not have deductibles, can cover the ransom payments as well as crisis response services, including getting in touch with criminal and regulatory authorities. Whether K&R coverage, which was not designed for ransomware, will cover ransomware costs and expenses will always be a matter of the specific policies involved.
To get the most out of cyber coverage for ransomware attacks, companies should work closely with their brokers, their insurers, their outside counsel and their own internal experts and executives to fully understand their particular ransomware risks. For now, the most effective cyber insurance policies are bespoke, and given the rapidly evolving nature of cyber-attacks, will continue to require custom-tailored fitting for quite some time.
Just like other kinds of insurance, ransomware coverage by itself will rarely be enough to make a company whole after a cyber-attack, but it can provide critical financial resources. Moreover, when coupled with a thoughtful and diligent incident response, a sound ransomware insurance policy can send a powerful message of strong business acumen; fierce customer dedication; and steadfast corporate governance, demonstrating profound expertise to the marketplace, shareholders, regulators and the many other interested corporate stakeholders.
Final Thoughts
When confronted with a ransomware attack, the options all seem bleak. Pay the hackers – and the victim may not only prompt future attacks, but there is also no guarantee that the hackers will restore a victim’s dataset. Ignore the hackers – and the victim may incur significant financial damage or even find themselves out of business. The only guarantees during a ransomware attack are the fear, uncertainty and dread inevitably experienced by the victim.
Even under the best-case scenario, where a victim has maintained archives and can keep their business alive, the victim companies will incur significant remedial costs, business disruptions and exhaustive management drag. Moreover, having a back-up storage solution in place is not always ideal; not only can outside storage of data create additional cybersecurity risks, but sometimes data archives are more like the proverbial roach motel, where data checks in but it can’t check out.
No doubt that the ease, anonymity and speed of crypto-currency payments such as Bitcoin, has revolutionized the ransomware industry, prompting its extraordinary growth. Bitcoin not only makes it simpler to remain anonymous, but also enables a nameless payment mechanism where the extorted funds can be immediately transferred into criminal hands.
Transactions in crypto-currencies like Bitcoin lack a discernable audit trail and operate outside of regulated financial networks and are alarmingly unregulated. There is no central issuer of Bitcoins, nor a Federal Reserve of Bitcoins monitoring and tracking transactions or controlling their value. In short, government surveillance and regulation of cryptocurrency is virtually nonexistent (no pun intended) and so long as crypto-currency payment schemes exist, ransomware attacks and iterations will likely continue to thrive.
Though too early to tell, there may emerge some form of Bitcoin regulation via Executive Order No. 13,694 (April, 2015), which expands sanctions to include “blocking” the property of persons engaging in “Significant Malicious Cyber-Enabled Activities.” The order declares a “national emergency” to deal with cyber-enabled threats and extends to the assets of those who “have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any [malicious cyber-enabled activities].”
Given that ransomware Bitcoin payments are made to cyber criminals, per Executive Order 13,694, the U.S. Secretary of the Treasury, the U.S. Attorney General and/or the U.S. Secretary of State could freeze or “block” assets of any participant in the Bitcoin financial chain. Such dramatic government intervention could discourage the purveyors of ransomware attacks, who depend upon Bitcoin for receiving payments.
The government could also take additional steps to combat ransomware such as:
Providing financial incentives for private investment in ransomware prevention and remediation technologies;
Speaking more boldly discouraging ransomware payments that monetize crime, perhaps via the Financial Crimes Enforcement Network (FinCen) or via a task force of state and federal law enforcement agencies; or
Creating new legal penalties for ransomware payments in a manner similar to the FCPA, rendering the option of paying ransom costlier, thus nudging firms toward choosing greater security.
But these government measures are theoretical and even if implemented, might still not sojourn the dramatic growth of ransomware. The reality is that when it comes to ransomware attacks, the government seems idle and relatively powerless, which means ransomware victims are unfortunately on their own. So what should companies do to manage the increasing risk of the current ransomware crime wave?
As would probably be preached by Thomas Clayton (or Russell Crowe), companies struggling with ransomware threats should apply the same lessons to ransomware protection that Clayton uses for employee protection: Be prepared (e.g. deploy back-ups and the like); Be thoughtful (e.g. use professionals to implement preemptive measures and help handle the response); and Be vigilant (e.g. never underestimate the impact of ransomware and never take the threat lightly).
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook,” available as an eBook on Amazon, iBooks and other booksellers.
The post Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance appeared first on The D&O Diary.
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance published first on http://ift.tt/2kTPCwo
0 notes
Text
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance
John Stark Reed
Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.
I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
****************************
In the 2000 American thriller film Proof of Life, the title refers to a phrase commonly used to indicate proof that a kidnap victim is still alive. As an expert negotiator in kidnapping cases, Terry Thorne, played by Russell Crowe, is engaged to bargain for a corporate kidnap victim’s safe return.
The film Proof of Life is not just a compelling narrative – its premise and main character also provide some useful insights into managing the emerging threat of ransomware. Ransomware, a special and more nascent type of malware, prevents or limits users from accessing their data, by locking system screens or user files, unless and until a ransom is paid.
Proof of Life’s screenplay was partly inspired by Thomas Hargrove’s book The Long March to Freedom, which recounts how the release of the once-kidnapped Hargrove was negotiated by Thomas Clayton, the founder of his eponymous kidnap-for-ransom consultancy Clayton Consultants (now part of risk management firm, Triple Canopy).
Just like Clayton Consultants, the team advising a ransomware victim company, whether a hospital or global corporate conglomerate, must employ a thoughtful, careful and methodical protocol to survive the ransomware crisis. Like any hostage situation, when a cyber-attacker locks up critical data files, the logistics and legalities of ransomware refusal, acquiescence or capitulation can be both elaborate and complicated.
To make matters worse, seeking law enforcement help for a ransomware attack unfortunately remains a very limited option. First, law enforcement has become inundated with ransomware reports and lacks the resources and wherewithal to assist victims. Second, most of the ransomware attackers are overseas, where merely obtaining an electronic evidence or interviewing a witness, let alone successful extradition and prosecution, are rarely possible. Finally, ransomware demands are often at monetary levels in the hundreds or thousands of dollars – too small to warrant federal law enforcement consideration while clearly outside of the jurisdiction of local law enforcement.
Thus, it should come as no surprise that a significant number of ransomware victims opt to pay the ransom. When padlocked files are business-critical (e.g. an important intellectual property formula); when encryption cannot be defeated (no matter how good the code-breaker) or when time is of the essence (e.g. when patient data is needed for life-saving surgery), paying the ransom can become the proverbial best worst option. Moreover, the typically de minimus ransomware payment demands (on average, about $679) are more akin to a financial nuisance than a material fiscal line-item, so from a cost-benefit perspective, payment can make the most sense.
Under any circumstance, ransomware has quickly become a novel, multifaceted and emerging risk to all corporate enterprises, and like any other material risk, should be addressed and mitigated in a reasonable, lawful, robust and effective manner.
This article provides guidance on the legal issues, logistical considerations and financial implications when managing ransomware threats, including an exposition of the unique issues which can arise when seeking proof of life and opting to meet the monetary demands of ransomware attacker.
What is Ransomware?
Ransomware is a type of malicious software that infects a computer and restricts users’ access to certain data, systems and/or files until a ransom is paid. Ransomware can come in many forms and iterations and like any other virus or infection, ransomware can evolve and transmogrify to counter cyber-defenses and remediation. Although only a fraction of ransomware attacks are actually reported to federal authorities, the U.S. Department of Justice reports over 4,000 ransomware attacks occur daily.
A ransomware victim company’s files are rarely exfiltrated by a ransomware attacker, rather the attacker encrypts the files so a victim company cannot access them. Then the hacker offers to sell the encryption key to the victim, typically payable in an anonymizing online crypto-currency such as Bitcoin. The usual ransomware demand comes with a deadline — after which time, the ransomware attacker threatens that the key will be destroyed or will expire, rendering the kidnapped files forever inaccessible. In many cases the ransom note that hijacks the victim’s screen is accompanied by a digital clock ominously ticking down the minutes and seconds from 72 hours. When the timer expires, the ransom demand usually goes up or even doubles – or the data is permanently locked and henceforth unrecoverable.
Bitcoin and other convertible crypto-currencies have become the keystone to current ransomware schemes, rendering the transactions practically untraceable and well suited for criminal transactions. Unlike the sequence of events during to a common kidnapping scenario, where the exchange of money arguably places criminals in their most vulnerable position, virtual kidnapping of ransomware actually facilitates anonymity throughout the Bitcoin transaction process.
Ransomware Growth
According to a recent study by IBM, spam emails loaded with ransomware increased 6,000 percent in 2016 compared with 2015, comprising almost 40 percent of all spam messages in 2016. Another report, from cybersecurity firm Symantec, cited 460,000 ransomware attempts in 2016, up 36% from 2015, with the average payment demand ballooning from $294 to $1,077, a 266% increase. Ransomware attacks have grown almost exponentially for several reasons:
The ransomware business model works, with the FBI stating that ransomware is on pace to become a one billion dollar source of income for cybercriminals in 2017;
Ransomware start-up costs are cheap. Ransomware software is readily and easily available – and is extraordinarily inexpensive. Ransomware is available for rent; for purchase or even in kits for building. Indeed, 60 percent of the Internet’s top sites sell ransomware; and
Ransomware schemes are typically successful. One recent study found that 70 percent of business victims paid the hackers to get their data back. Of those who paid, 50 percent paid more than $10,000 and 20 percent paid more than $40,000.
Ransomware attacks target the most vulnerable part of a company’s computer networks: people. The primary attack vector for ransomware is an employee who has clicked on a file or a linked he or she should not have clicked. That employee may be:
An accidental insider (e.g. an inattentive employee infiltrated due to inadvertent behaviors or broken business processes);
A compromised insider (e.g. a targeted employee via social engineering and infiltrated due to malware infections or stolen credentials); or
A malicious insider (e.g. a so-called bad leaver or criminal insider who infiltrate via corporate espionage and sabotage).
Ransomware is sometimes embedded in seemingly legitimate downloads such as software updates or resume files. Fake Adobe Flash updates are a notorious Trojan horse for delivering ransomware because Flash is such a ubiquitous add-on to most Internet browsers. Once inside a network, some ransomware can seed itself to additional computers or other devices via SMS messages or a user’s contact list.
What makes ransomware countermeasures challenging is the evolution of ransomware variants. There has been a tremendous increase in ransomware strains – reaching almost epidemic proportions. Indeed, new ransomware strains are now being created to tap into the mobile user base, which can impact both personal and business information, already dramatically expanding the ransomware threat landscape, diversifying and expanding their platforms, capabilities and techniques in order to accrue more targets.
Per recent reports, in the third quarter of 2011, about 60,000 new variants of ransomware were detected. That number doubled to over 200,000 in 2012; quadrupling to over 700,000 variants from 2014, to the first quarter of 2015. In the first quarter of 2016, security firm Kaspersky Lab revealed 2,900 new “modifications” of existing ransomware, a 14% increase from the last quarter, and a 30% increase from the previous quarter.
As the Internet of Things begins to establish a foothold in daily life, ransomware growth seems poised to become more severe and more widespread. Market forecaster Gartner expects 6.4 billion connected devices will surround us in the home and workplace this year, a $30 billion market by the year 2020. This growing network of Internet-connected household devices, from Samsung refrigerators to Nest thermostats, will undoubtedly render individuals and corporations increasingly vulnerable to ransomware attacks.
Recent Ransomware Attacks
While ransomware has beleaguered victim companies for much of the last decade, a recent global spate of ransomware attacks has prompted intense media coverage and worldwide apprehension and concern.
For instance, in April 2017, a ransomware group known as Shadow Brokers coopted a ransomware exploit (nicknamed Eternal Blue) from the U.S. National Security Agency, and took advantage of a Windows vulnerability, targeting a wave of hospitals. The ransomware extortion demands impacted more than just corporate operations and secrets; suddenly, a cyber-attack impacted the lives of sick hospital patients, prompting an almost international hysteria.
The vulnerability, patchable for new Microsoft systems but not necessarily for older systems upon which many hospitals were running, was dubbed “WannaCry” or “WannaCrypt” ransomware, and according to Europol, claimed over 200,000 victims in over 150 countries.
Similarly, in late June 2017, another strain of ransomware hit at least six countries, including and primarily Ukraine, where it was blamed for a large and coordinated attack on key parts of the nation’s infrastructure, from government agencies and electric grids to stores and banks. According to Microsoft, this outbreak, referred to as NotPetya – aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya and Diskcoder.C – resulted in “a less widespread attack” than WannaCry, aka WannaCrypt.
As a result of NotPetya ransomware, A.T.M.’s in the Ukraine apparently stopped working; workers were forced to manually monitor radiation at the old Chernobyl nuclear plant when their computers failed; and data security personnel at companies around the world — from Maersk, the Danish shipping conglomerate, to Merck, the drug giant in the United States — were reportedly scrambling to respond. Even an Australian factory for the chocolate giant Cadbury was affected.
Though more sophisticated than WannaCry and employing the same Eternal Blue server message block exploit, NotPetya’s global impact was reportedly blunted by its own limited attack capabilities (e.g. by a default setting, the infected system reboots after 60 minutes, and the malware does not persist after the reboot). “This means that the threat can only do lateral movement and exploitation of other machines during this limited time,” Microsoft says. “This reduced the reach of the attack.”
Law Enforcement and Ransomware: The Official View
The official line from federal law enforcement with respect to Ransomware is: Report the Incident and Don’t Pay. Specifically, the FBI warns:
“The FBI doesn’t support paying a ransom in response to a ransomware attack . . . Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. [B]y paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The FBI also warns that paying ransomware does not guarantee that a victim company will obtain from the attacker a working key to rescue their data. The FBI is aware of cases where either the attackers fail to hand over the correct decryption key or are unwilling to comply with the original ransomware demands after payment is received. According to Trend Micro research, nearly 33 percent of firms that pay the ransom when attacked by ransomware fail to get their data back. The FBI also urges ransomware victims to report ransomware attacks immediately and seek help from the FBI in handling the situation.
Along similar lines, during an emergency meeting to address the WannaCry ransomware attacks, Tom Bossert, Homeland Security Advisor to President Donald Trump, discussed the perils of ransomware payment, and warned that victims could still lose access to files even after making a payment:
“Well, the U.S. government doesn’t make a recommendation on paying ransom, but I would provide a strong caution. You’re dealing with people who are obviously not scrupulous, so making a payment does not mean you are going to get your data back.”
Law Enforcement and Ransomware: The Unofficial View
In some public settings, the FBI has warned that, without paying a ransom, victim companies may not be able to unlock their kidnapped data from ransomware attackers who use Cryptolocker, Cryptowall and other potent malware strains.
“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people to just pay the ransom . . . The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”
Indeed, the Ponemon Institute reported in a 2016 study that 48% of businesses victimized by ransomware paid the ransom (average ransomware payment being $2,500), while a similar IBM Security study found that 70 percent of business victims paid the ransom during that same period.
Even some law enforcement officials themselves have decided to cut their losses by paying off the purveyors of ransomware. For instance, in the Massachusetts townships of Tewksbury and Swansea, ransomware attackers made off with $500 and $750 bounties, respectively. Elsewhere, police departments in the Chicago suburbs of Midlothian and Dickson County, Tenn., also paid ransom amounts to ransomware attackers. That even law enforcement officials have opted to cut their losses by succumbing to, and paying off, ransomware attackers demonstrates how oddly commonplace ransomware payments have become.
Counsel as Quarterback for Ransomware Response
Ransomware is a crime, has significant regulatory implications and can involve important legal responsibilities and liabilities. At a minimum, ransomware schemes run afoul of the federal computer crime statute, 18 U.S.C. § 1030, and particularly subsection (a)(7), which forbids hacking intended to extort something of value from the victim.
Above all else, the legal ramifications of any ransomware incident or failure can be calamitous for any public or private company. Even the most traditional realms of IT dominion such as exfiltration analysis, malware reverse engineering, digital forensics, logging review and most technological remediation measures are rife with legal and compliance issues and a myriad of potential conflicts.
For instance, after a cybersecurity incident such as a ransomware attack, law enforcement, regulators, vendors, partners, insurers, customers and others may:
Request forensic images of impacted systems;
Demand copies of indicators of compromise;
Mandate that their own auditors or examiners visit sites of infiltration and conduct their own audit and investigation;
Want to participate in remediation planning;
Seek interviews and interactions with IT personnel;
Require briefings from a victim company’s forensic experts and data security engineers; or
Ask to attach a recording appliance to a victim company’s network in hope of capturing traces of attacker activity, should an attacker return.
These requests raise a host of legal issues, including how exactly to respond to each request and whether any response would violate the privacy of customers; be at odds with commercial agreements; result in a waiver of the attorney-client or work product privileges; or have any other legal/compliance consequences.
Because so many incident response issues are critical to the very survival of a company, who else but the GC can oversee and direct investigative workflow, commanding the investigation and remediation for the C-suite, sharing with senior management the ultimate responsibility for key decisions, while having the responsibility and duty of reporting to the company’s board.
Ransomware and the Attorney-Client Privilege
Attorney involvement, awareness, leadership, and direction are not the only essentials for managing the quagmire of legal issues arising during a ransomware response. GC involvement also triggers the protections afforded by the attorney-client and work product privileges, a critical component in the response to data security incidents.
The involvement and direction of counsel in the context of any investigation will presumably apply to the work product produced not only directly by the legal team members but also by the outside advisors, including the digital forensic investigators engaged by internal or outside counsel.
This is standard practice in the context of any other type of investigation – a cyber incident is no different. There is nothing nefarious or extraordinary about this approach, it is a time-honored and tested standard operating procedure. The involvement of counsel establishes a single point of coordination and a designated information collection point.
Counsel as quarterback of ransomware response also enhances visibility into the facts, improves the ability to pursue appropriate leads and, most importantly, ensures the accuracy and completeness of information before it is communicated to external audiences. Otherwise, incomplete and/or inaccurate information could be released, only to have to later be corrected or even retracted.
Ransomware Notification Requirements
Although typically involving locking up data (rather than accessing, targeting or exfiltrating data), a ransomware attack could still be deemed the type of data security incident which triggers a legal notification requirement, including notice to:
State regulators (per state privacy statutes, rules and regulations);
Shareholders (per SEC disclosure obligations);
Vendors, partners and other entities (Many companies now incorporate rigorous cybersecurity notification requirements into their contracts, which can trigger when a victim company experiences a ransomware attack.);
Insurance carriers (especially if a victim company plans to make an insurance claim, relating to the ransomware attack);
Customers (when the data of a customer, such as a hospital patient, is impacted by a ransomware attack, a victim company may have very specific legal obligations to notify that customer); and
Any other constituency who may have a vested interest in a victim-company.
With respect to state regulatory notifications there is some grey area worthy of mention. In the United States, 52 jurisdictions (including 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) have enacted some version of a data breach notification law. Under these laws, notification may be required for any customer whose personally identifiable information (PII) was acquired or accessed, or reasonably likely to have been acquired or accessed. While most states require some form of notice to their residents of a data breach, depending on applicable legal standards, some states also require notification to public agencies, such as the state attorney general.
The threshold issue is a technological one – probably best determined by a digital forensics expert and couched in legal terms. For instance, if the data is encrypted or otherwise “locked” through an automated process, companies could argue that the data was never accessed by an unauthorized party, which is the standard that typically triggers state breach notification laws.
On the other hand, though the mere encryption of data may not trigger the notification rules, the viewing, copying, relocating and altering of information can. Digital forensics and malware reverse engineering can provide some clue with respect to the impact of a ransomware attack and help assess some of the lesser state thresholds (such as in states like Connecticut, Florida, Kansas, Louisiana and New Jersey) where the definition of a breach also includes accessing of protected health information.
With respect to some of the more onerous and specific federal notification rules, such as under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), digital forensics analysis can also provide critical information relating to disclosure requirements. For instance, HHS rules generally state that hospitals need only report attacks that result in the exposure of private medical or financial information, such as malware that steals data. Whether ransomware’s data encryption crosses that legal threshold can be challenging to determine, which is why ransomware attacks and other data security incidents at health care organizations often go unreported.
In addition, under the new EU General Data Protection Regulation, effective May 25, 2018, there is a requirement to notify the supervisory authorities without undue delay (no later than 72 hours) after becoming aware of a data breach, unless it is unlikely to cause a risk to the affected individuals. The fines for violating this regulation are significant—up to 4% of global annual turnover or €20 million (whichever is the higher), so any late notification will need to be justified.
Ransomware Investigative Tactics
While determining the bona fides of a ransomware strain is always challenging, an experienced digital forensic examiner can find some answers by searching for some of the more typical cyber-indicators. Ransomware malware is characteristically a type of tool, which is not only known to most professionals, but may even be readily available for purchase online. If the name and modus operandi of the ransomware is new or otherwise unknown, rather than a victim firm being “patient zero,” the ransomware may turn out to be bogus.
Digital forensic experts can also research the Bitcoin payment address; the malware message; any relevant phishing emails; and any other of the ransomware’s characteristics in data security research forums and internal archives, to analyze recent commentary about the ransomware and test its efficacy and validity.
There are also a range of digital forensics tests to initiate upon an infected file to assess a ransomware strain’s actual efficacy. For instance, one simple test is to return the file name to its original form. Real ransomware changes the file extension of encrypted files. The Ransomware files may not be encrypted but just renamed to provide the illusion of encryption to cajole a ransom payment. A digital forensics expert can also investigate the severity of the attack; reverse-engineer the malware that has taken control of victim data; and attempt a full-fledged data recovery.
Ransomware Payment
In cases where a particular ransomware attack cannot be fully mitigated, an experienced digital forensics firm can broker and validate a solution that minimizes the cost of recovery and prevents further extortion from the attacker.
Paying off the ransomware attackers typically entails: 1) sending the secret ransomware key file now stored on the victim’s computer; 2) uploading that file (or data string) to the attackers together with a Bitcoin payment; and 3) awaiting a decryption key or a tool a victim can use to undo the encryption on the victim company files. This is a complex and challenging process.
First off, a digital forensics firm can help a ransomware victim navigate the maze of setting up an account to handle Bitcoin, getting it funded, and figuring out how to pay other people with it. A digital forensics examiner may even be able to construct a payment scheme where rendering ransomware payments is conditional. By using cryptocurrency features to ensure that ransomware attackers cannot receive their payment unless they deliver a key, there can exist some added level of security and reliability upon the transaction. One ransomware response expert, notes:
“ . . A ransomware developer could easily perform payment via a smart contract script (in a system like Ethereum) that guarantees the following property. This payment will be delivered to the ransomware operator if and only if the ransomware author unlocks it — by posting the ransomware decryption key to the same blockchain.”
Ransomware attackers may portray the entire ransomware payment process as more akin to an ordinary business transaction than an international extortion scheme. In fact, some recent ransomware attackers purportedly even offer a victim company a discount if the victim company transmits the infection to other companies, just like referral programs of Uber or Lyft.
However, while a ransomware payment process may seem straightforward and rudimentary, the reality is far more complicated and rife with challenges. No ransomware payment process can guarantee that the ransomware attacker will provide a decryption key. The ransomware scheme may be nothing more than a social engineering ruse, more like an old fashioned Nigerian Internet scam than a malware infection – and the payment could end up being all for naught.
Indeed, ransomware attackers may no longer have the encryption key or may just opt to take a ransom payment, infect a company’s system, and flee the crime scene entirely. Not only is the system of paying in untraceable Bitcoin risky, but the transaction in its entirety is so risky, it hardly seems palatable. Nonetheless, the number of victim companies that pay ransomware demands continues to grow at an alarming rate.
The Legalities of Ransomware Payment
Though the FBI has hinted at the possible illegality of paying a ransomware demand, the FBI has never specifically stated that the payer could actually be charged with a crime. It would seem rather obvious that with respect to any criminal statute, actions taken under duress do not ordinarily constitute a crime. Moreover, the ransomware attacker possesses the criminal intent, not the victim who agrees to pay. However, there is little specific legal authority on the subject of payment and negotiation with ransomware attackers, so the legalities of payment are worthy of some analysis.
In general, legal commentary and case law regarding ransom payments is limited. However, in a germane 2011 British case, Masefield AG v Amlin Corporate Member Ltd (The Bunga Melati Dua), relating to maritime piracy and ransom demands for safe return of the vessel and crew, the court faced a somewhat analogous scenario. Specifically, the British Court of Appeal held that there was no general public policy argument against paying ransoms, stating that:
“…there is no universal morality against the payment of ransom, the act not of the aggressor but of the victim of piratical threats, performed in order to save property and the liberty or life of hostages. There is no evidence before the court of such payments being illegal anywhere in the world. This is despite the realization that the payment of ransom, whatever it might achieve in terms of the rescue of hostages and property, itself encourages the incidence of piracy for the purposes of exacting more ransoms. (Perhaps it should be said that the pirates are not classified as terrorists. It may be that the position with regard to terrorists is different).”
Though addressing hostage ransoms, and not ransomware, former President Barak Obama provided a similar message in his Statement by the President on the U.S. Government’s Hostage Policy Review (June 24, 2015):
“I firmly believe that the United States government paying ransom to terrorists’ risks endangering more Americans and funding the very terrorism that we’re trying to stop. And so I firmly believe that our policy ultimately puts fewer Americans at risk. At the same time, we are clarifying that our policy does not prevent communication with hostage-takers — by our government, the families of hostages, or third parties who help these families . . . In particular, I want to point out that no family of an American hostage has ever been prosecuted for paying a ransom for the return of their loved ones. The last thing that we should ever do is to add to a family’s pain with threats like that.”
Ransomware and the FCPA
The Foreign Corrupt Practices Act of 1977 (FCPA) prohibits payments to foreign government officials to assist in obtaining or retaining business or directing business to any person. Laws such as the FCPA reflect an alternative approach to deterring bribes, by penalizing those on the payment side of the transaction.
Specifically, the FCPA prohibits giving something of value for the purpose of: “(i) influencing any act or decision of [a] foreign official in his official capacity, (ii) inducing such foreign official to do or omit any act in violation of the lawful duty of such official, or (iii) securing any improper advantage … to obtain or retain business for or with … any person.” The law provides an affirmative defense for payments that are “lawful under the written laws and regulations” of the country.
Given the FCPA threshold requirement that a payment must be made to assist in obtaining or retaining business for the individual or company or directing that business to another person, a ransomware scenario does not appear to trigger the FCPA.
However, FCPA’s enforcement can provide a useful analogy when considering the legalities of paying a ransomware demand. U.S. companies often face extortionate demands from foreign police, bureaucrats, and regulators, who threaten to hold, expel, or even harm employees if ransoms are not paid. And there have always been questions whether those involuntary payments can violate the FCPA. The DOJ-SEC Guidance on FCPA addresses this issue, stating:
“Does the FCPA Apply to Cases of Extortion or Duress? Situations involving extortion or duress will not give rise to FCPA liability because a payment made in response to true extortionate demands under imminent threat of physical harm cannot be said to have been made with corrupt intent or for the purpose of obtaining or retaining business.”
This notion, that under FCPA an individual is not guilty of a criminal offense when forced to do so by duress or extortion, is confirmed in United States v. Kozeny, 582 F.Supp.2d 535, 540 (S.D.N.Y. 2008). Specifically, in the Kozeny decision, the United States District Court for the Southern District of New York ruled that extortion or duress under the threat of imminent physical harm would excuses the conduct (essentially negating a corrupt intent), stating:
“ . . . while the FCPA would apply to a situation in which a “payment [is] demanded on the part of a government official as a price for gaining entry into a market or to obtain a contract,” it would not apply to one in which payment is made to an official “to keep an oil rig from being dynamited,” an example of “true extortion.” The reason is that in the former situation, the bribe payer cannot argue that he lacked the intent to bribe the official because he made the “conscious decision” to pay the official. In other words, in the first example, the payer could have turned his back and walked away—in the latter example, he could not.”
Whether the “economic duress” of a typical ransomware attack would rise to the level of “true extortion” as described in the Kozeny decision remains untested, and might be viewed as insufficient to excuse conduct from sanctions under the FCPA.
The FCPA could also potentially apply in ransomware scenarios where the cyber-criminal has a known connection to a foreign government. While the concealed identity of cyber-criminals involved in ransomware attacks likely prevents a payer from knowing that a payment violates the FCPA, the issue could still arise when a digital forensic expert identifies a ransomware attacker’s modus operandi to be that of a state sponsored organization (e.g. from Russia, North Korea or Iran).
Foreign Sanctions and Ransomware
Like the FCPA, international sanctions regimes are also designed to prevent payments to certain designated payees, institutions, and countries who are enemies of the U.S, such as terrorists and terrorist organizations. In the United States, the Treasury’s Office of Foreign Asset Controls (OFAC) supervises these programs, such as the Trading with the Enemy Act and the International Emergency Economic Powers Act (IEEPA).
Under these Acts, ransom payments (whether directly or indirectly through an intermediary) to Foreign Terrorist Organizations (FTOs) or Specially Designated Global Terrorists (SDGTs) identified by OFAC, are illegal under U.S. law. Monetary contributions to FTOs are considered material support under 18 U.S.C. 2339B, while transfers to SDGTs are violations of economic sanctions imposed pursuant to the IEEPA.
For example, in a February 2017 cyber-attack against the British National Health System, the attackers appeared to be ISIS and in particular, the Tunisian Falange Team, which posted graphics and pictures decrying at the war in Syria. Whether a similar attack against a U.S. hospital, with a similar evidentiary trail indicating terrorist attribution, would trigger the limitations imposed OFAC is unclear and untested. However, any digital forensic findings of a ransomware attack indicating terrorist attribution or involvement is certainly worthy of consideration when contemplating a ransomware payment.
Ransomware and Conspiracy
Whether a payer of a ransomware demand can be held to have entered into a conspiracy with the ransomware attacker seems unlikely and contrary to the public interest. A conspiracy is an agreement with another that a criminal course of conduct is to be pursued. Ransomware payments do not appear to be the kind of agreements contemplated by conspiracy statutes, but instead are forced arrangements dictated by a ransomware attacker.
However, other profiting and culpable participants in the Bitcoin payment scheme to pay a ransomware attacker might find themselves facing criminal penalties. Anthony Murgio, who recently pled guilty to operating as a money transmitter without a license in 2015, was also charged with violating Title 18 U.S.C., Section 1030(a)(7) and sentenced to 5 ½ years in prison. Federal prosecutors alleged that Murgio and his co-conspirators benefitted from transactions providing victims with Bitcoin to pay off ransomware demands. The Murgio indictment states:
“As part of the unlawful Coin.mx scheme, Anthony P. Murgio, the defendant, and his co-conspirators knowingly processed and profited from numerous Bitcoin transactions conducted on behalf of victims of ransomware schemes…By knowingly permitting ransomware victims to exchange currency for Bitcoins through Coin.mx, Murgio and his co-conspirators facilitated the transfer of ransom proceeds to the malware operators while generating revenue for Coin.mx.”
Unlike a ransomware payer, Murgio was a part of the payment process and clearly facilitated the ransomware transactions with unclean hands – possessing the kind of felonious intent required for money laundering criminal liability. Crypto-currency sellers or exchange operators may be caught up in legal trouble if: they have avoided or neglected reporting requirements or have not registered as a money transmission business (like Murgio), or, if they were criminally complicit with the ransomware attackers.
The distinction seems clear: if a Bitcoin seller actively aided and abetted a ransomware attacker, knowingly profiting from the scheme, the Bitcoin seller could be criminally liable. However, if a digital forensics firm made Bitcoin available to a client and provided technical advice as to how to pay in Bitcoin, then, like Thomas Clayton in Proof of Life, criminal liability seems wholly inappropriate.
Ransomware: To Pay or Not To Pay
For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, does not appear to break any laws – and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination — almost like a cost-benefit analysis.
The arguments for rendering a ransomware payment include:
Payment is the least costly option;
Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up);
Payment can avoid being fined for losing important data;
Payment means not losing highly confidential information; and
Payment may mean not going public with the data breach.
The arguments against rendering a ransomware payment include:
Payment does not guarantee that the right encryption keys with the proper decryption algorithms will be provided;
Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime;
Payment can do damage to a corporate brand;
Payment may not stop the ransomware attacker from returning;
If victims stopped making ransomware payments, the ransomware revenue stream would stop and ransomware attackers would have to move on to perpetrating another scheme; and
Using Bitcoin to pay a ransomware attacker can put organizations at risk. Most victims must buy Bitcoin on entirely unregulated and free-wheeling exchanges that can also be hacked, leaving buyers’ bank account information stored on these exchanges vulnerable.
Ransomware Remediation
There are a slew of basic steps companies should take as preemptive measures to avoid falling prey to ransomware, including backing up systems and employing the latest cybersecurity measures. Other measures include:
Updating operating systems, software patching, antivirus programs and firewalls;
Taking steps to detect and block ransomware through firewalls and intrusion detection monitoring, including setting alerts for anomalous behavior;
Revisiting backup protocols to ensure that a crypto-attack is classified as a potential disaster with appropriate contingency plans;
Enabling popup blockers;
Employing IT professionals or consultants familiar with ransomware, who stays current with evolving iterations and variants; and
Implementing a strong password policy requiring all users to regularly change passwords and require more complex passwords, i.e. mixture of lower and uppercase letters, numbers, and symbols;
Reviewing and auditing all network permissions in your network while updating and deactivating all user accounts regularly, including departing employees;
Rigorous employee education and outreach;
Securing long and short-term backups, stored in a manner detached from a company’s network;
Intense screening of partners and vendors to ensure strong security procedures from associated third parties;
Thoughtfully and securely segmenting sensitive user and corporate data within a corporate network; and
Changing network and Wi-Fi passwords regularly.
Along the same lines, the FBI urges organizations to be vigilant keeping browsers, operating systems and third-party application patch levels up to date, and that antivirus protection is also current. The FBI also suggests companies back up often, lock down access granted to individuals and manage configuration of file systems, directories and network shares appropriately.
By setting snares and “honeypots” for would-be ransomware attackers, companies can go so far as to employ drastic and direct preemptive measures. For example, Deception Technology sets its trademarked HackTraps to misdirect ransomware attackers and prevent them from going deeper into a corporate network and reaching their intended target. These traps can be as simple as a document with a deceiving title that was created exclusively to lure in the cybercriminals.
A digital forensic expert can also help a victim company develop and implement a containment plan to isolate any additional infections and provide strategic recommendations to prevent further ransomware attacks and otherwise mitigate their impact.
It may be hard to believe, but when handled correctly, a customer data compromise or data security incident like a ransomware attack can actually become the kind of successful failure that not only prompts remediation that strengthens technological infrastructure, but also reinforces a firm’s commitment and focus upon its customers, partners and other fiduciaries.
Ransomware and Business Continuity Plans
The critical importance of a business continuity plan in the event of a natural disaster is widely recognized and accepted. Yet, too often, such plans are not evaluated in the context of assessing cybersecurity risks such as ransomware.
Even when an organization’s IT cybersecurity response fully aligns to IT best practices, there are benefits in utilizing or integrating IT’s response into the existing business continuity structure, rather than having two separate response models. Speed and agility are key enablers in ransomware response, and business continuity enables nimble, rapid response limiting financial and reputational impact on the enterprise.
A powerful business continuity plan, which is properly integrated with an incident response plan, contemplates the threat of ransomware and plans for data recovery, such as with specialized back-up data systems that are routinely tested and updated as necessary.
Ransomware and Cyber Insurance
Like any other corporate risk, companies are beginning to realize that the financial, operational and even reputational risks of a ransomware attack can be addressed via a comprehensive and targeted cyber insurance policy. Over 60 insurance companies now offer cyber insurance, many containing specific provisions addressing ransomware. In 2015, ransomware accounted for just over 10% of cyber insurance claims, but in 2016 that figure grew to 25%.
Currently, most cyber insurance policies are modular, which means an organization chooses from a menu of coverage options, such as business interruption, third party liability for privacy breaches and first party coverage for an organization’s own costs to detect, stop, investigate and remediate a network security incident.
Ransomware typically falls under “first party” liabilities as cyber extortion and network interruption. When making a cyber insurance claim for ransomware, a victim company should be prepared to demonstrate that: the ransom has been surrendered under duress; the incident is not a hoax; there was c-suite participation in the ransomware payment decision; the insurance company approved of the ransomware payment plan; and the ransomware attack was reported to law enforcement.
Making an insurance reimbursement claim for a Bitcoin payment is also tricky, even with respect to valuation and execution. Challenges include proving to an insurance company: that a Bitcoin payment was made; that a Bitcoin payment was for a particular amount of U.S. dollars; and that a Bitcoin transaction was documented in an acceptable and verifiable manner.
Thus, a ransomware victim company may have to engage a professional intermediary to pay the attackers, and then seek reimbursement for the fees paid to the digital intermediary. Otherwise, an insurer might have no way to audit a process involving Bitcoin and therefore refuse to recompense Bitcoin payments. Cyber insurance might also not cover the full amount of the ransomware or may have in place a high deductible amount (for large organizations the deductible could be $500,000 or as high as $5 million).
Without a specific ransomware cyber insurance policy, a victim company would have to look to the breadth of their professional liability and other insurance policies, which can give rise to ambiguities and disputes. For example, the presence of any sort of terrorism exclusion can become problematic. For instance, insurance policies may have “acts of foreign enemies” or “government acts” exclusions that can limit reimbursement if the ransomware was distributed by cyber-attackers tied to a foreign government;
In addition, whether a ransomware victim company must show “physical damage” can also become an issue. In the typical ransomware scenario, a victim company’s data is not actually damaged but is rather, “locked.” An insurance company may argue that like other cyber-attacks, where a victim’s data was accessed, but not otherwise disturbed, altered or exfiltrated, then the victim has no insurance claim; and
Some companies who do not have cyber insurance, may turn to their kidnap insurance for coverage relating to ransomware attacks. Kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas of danger, such as where violence related to oil and mining operations is common (like parts of Africa and Latin America).
K&R policies, which typically do not have deductibles, can cover the ransom payments as well as crisis response services, including getting in touch with criminal and regulatory authorities. Whether K&R coverage, which was not designed for ransomware, will cover ransomware costs and expenses will always be a matter of the specific policies involved.
To get the most out of cyber coverage for ransomware attacks, companies should work closely with their brokers, their insurers, their outside counsel and their own internal experts and executives to fully understand their particular ransomware risks. For now, the most effective cyber insurance policies are bespoke, and given the rapidly evolving nature of cyber-attacks, will continue to require custom-tailored fitting for quite some time.
Just like other kinds of insurance, ransomware coverage by itself will rarely be enough to make a company whole after a cyber-attack, but it can provide critical financial resources. Moreover, when coupled with a thoughtful and diligent incident response, a sound ransomware insurance policy can send a powerful message of strong business acumen; fierce customer dedication; and steadfast corporate governance, demonstrating profound expertise to the marketplace, shareholders, regulators and the many other interested corporate stakeholders.
Final Thoughts
When confronted with a ransomware attack, the options all seem bleak. Pay the hackers – and the victim may not only prompt future attacks, but there is also no guarantee that the hackers will restore a victim’s dataset. Ignore the hackers – and the victim may incur significant financial damage or even find themselves out of business. The only guarantees during a ransomware attack are the fear, uncertainty and dread inevitably experienced by the victim.
Even under the best-case scenario, where a victim has maintained archives and can keep their business alive, the victim companies will incur significant remedial costs, business disruptions and exhaustive management drag. Moreover, having a back-up storage solution in place is not always ideal; not only can outside storage of data create additional cybersecurity risks, but sometimes data archives are more like the proverbial roach motel, where data checks in but it can’t check out.
No doubt that the ease, anonymity and speed of crypto-currency payments such as Bitcoin, has revolutionized the ransomware industry, prompting its extraordinary growth. Bitcoin not only makes it simpler to remain anonymous, but also enables a nameless payment mechanism where the extorted funds can be immediately transferred into criminal hands.
Transactions in crypto-currencies like Bitcoin lack a discernable audit trail and operate outside of regulated financial networks and are alarmingly unregulated. There is no central issuer of Bitcoins, nor a Federal Reserve of Bitcoins monitoring and tracking transactions or controlling their value. In short, government surveillance and regulation of cryptocurrency is virtually nonexistent (no pun intended) and so long as crypto-currency payment schemes exist, ransomware attacks and iterations will likely continue to thrive.
Though too early to tell, there may emerge some form of Bitcoin regulation via Executive Order No. 13,694 (April, 2015), which expands sanctions to include “blocking” the property of persons engaging in “Significant Malicious Cyber-Enabled Activities.” The order declares a “national emergency” to deal with cyber-enabled threats and extends to the assets of those who “have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any [malicious cyber-enabled activities].”
Given that ransomware Bitcoin payments are made to cyber criminals, per Executive Order 13,694, the U.S. Secretary of the Treasury, the U.S. Attorney General and/or the U.S. Secretary of State could freeze or “block” assets of any participant in the Bitcoin financial chain. Such dramatic government intervention could discourage the purveyors of ransomware attacks, who depend upon Bitcoin for receiving payments.
The government could also take additional steps to combat ransomware such as:
Providing financial incentives for private investment in ransomware prevention and remediation technologies;
Speaking more boldly discouraging ransomware payments that monetize crime, perhaps via the Financial Crimes Enforcement Network (FinCen) or via a task force of state and federal law enforcement agencies; or
Creating new legal penalties for ransomware payments in a manner similar to the FCPA, rendering the option of paying ransom costlier, thus nudging firms toward choosing greater security.
But these government measures are theoretical and even if implemented, might still not sojourn the dramatic growth of ransomware. The reality is that when it comes to ransomware attacks, the government seems idle and relatively powerless, which means ransomware victims are unfortunately on their own. So what should companies do to manage the increasing risk of the current ransomware crime wave?
As would probably be preached by Thomas Clayton (or Russell Crowe), companies struggling with ransomware threats should apply the same lessons to ransomware protection that Clayton uses for employee protection: Be prepared (e.g. deploy back-ups and the like); Be thoughtful (e.g. use professionals to implement preemptive measures and help handle the response); and Be vigilant (e.g. never underestimate the impact of ransomware and never take the threat lightly).
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook,” available as an eBook on Amazon, iBooks and other booksellers.
The post Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance appeared first on The D&O Diary.
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance published first on http://ift.tt/2kTPCwo
0 notes
Text
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance
John Stark Reed
Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.
I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
****************************
In the 2000 American thriller film Proof of Life, the title refers to a phrase commonly used to indicate proof that a kidnap victim is still alive. As an expert negotiator in kidnapping cases, Terry Thorne, played by Russell Crowe, is engaged to bargain for a corporate kidnap victim’s safe return.
The film Proof of Life is not just a compelling narrative – its premise and main character also provide some useful insights into managing the emerging threat of ransomware. Ransomware, a special and more nascent type of malware, prevents or limits users from accessing their data, by locking system screens or user files, unless and until a ransom is paid.
Proof of Life’s screenplay was partly inspired by Thomas Hargrove’s book The Long March to Freedom, which recounts how the release of the once-kidnapped Hargrove was negotiated by Thomas Clayton, the founder of his eponymous kidnap-for-ransom consultancy Clayton Consultants (now part of risk management firm, Triple Canopy).
Just like Clayton Consultants, the team advising a ransomware victim company, whether a hospital or global corporate conglomerate, must employ a thoughtful, careful and methodical protocol to survive the ransomware crisis. Like any hostage situation, when a cyber-attacker locks up critical data files, the logistics and legalities of ransomware refusal, acquiescence or capitulation can be both elaborate and complicated.
To make matters worse, seeking law enforcement help for a ransomware attack unfortunately remains a very limited option. First, law enforcement has become inundated with ransomware reports and lacks the resources and wherewithal to assist victims. Second, most of the ransomware attackers are overseas, where merely obtaining an electronic evidence or interviewing a witness, let alone successful extradition and prosecution, are rarely possible. Finally, ransomware demands are often at monetary levels in the hundreds or thousands of dollars – too small to warrant federal law enforcement consideration while clearly outside of the jurisdiction of local law enforcement.
Thus, it should come as no surprise that a significant number of ransomware victims opt to pay the ransom. When padlocked files are business-critical (e.g. an important intellectual property formula); when encryption cannot be defeated (no matter how good the code-breaker) or when time is of the essence (e.g. when patient data is needed for life-saving surgery), paying the ransom can become the proverbial best worst option. Moreover, the typically de minimus ransomware payment demands (on average, about $679) are more akin to a financial nuisance than a material fiscal line-item, so from a cost-benefit perspective, payment can make the most sense.
Under any circumstance, ransomware has quickly become a novel, multifaceted and emerging risk to all corporate enterprises, and like any other material risk, should be addressed and mitigated in a reasonable, lawful, robust and effective manner.
This article provides guidance on the legal issues, logistical considerations and financial implications when managing ransomware threats, including an exposition of the unique issues which can arise when seeking proof of life and opting to meet the monetary demands of ransomware attacker.
What is Ransomware?
Ransomware is a type of malicious software that infects a computer and restricts users’ access to certain data, systems and/or files until a ransom is paid. Ransomware can come in many forms and iterations and like any other virus or infection, ransomware can evolve and transmogrify to counter cyber-defenses and remediation. Although only a fraction of ransomware attacks are actually reported to federal authorities, the U.S. Department of Justice reports over 4,000 ransomware attacks occur daily.
A ransomware victim company’s files are rarely exfiltrated by a ransomware attacker, rather the attacker encrypts the files so a victim company cannot access them. Then the hacker offers to sell the encryption key to the victim, typically payable in an anonymizing online crypto-currency such as Bitcoin. The usual ransomware demand comes with a deadline — after which time, the ransomware attacker threatens that the key will be destroyed or will expire, rendering the kidnapped files forever inaccessible. In many cases the ransom note that hijacks the victim’s screen is accompanied by a digital clock ominously ticking down the minutes and seconds from 72 hours. When the timer expires, the ransom demand usually goes up or even doubles – or the data is permanently locked and henceforth unrecoverable.
Bitcoin and other convertible crypto-currencies have become the keystone to current ransomware schemes, rendering the transactions practically untraceable and well suited for criminal transactions. Unlike the sequence of events during to a common kidnapping scenario, where the exchange of money arguably places criminals in their most vulnerable position, virtual kidnapping of ransomware actually facilitates anonymity throughout the Bitcoin transaction process.
Ransomware Growth
According to a recent study by IBM, spam emails loaded with ransomware increased 6,000 percent in 2016 compared with 2015, comprising almost 40 percent of all spam messages in 2016. Another report, from cybersecurity firm Symantec, cited 460,000 ransomware attempts in 2016, up 36% from 2015, with the average payment demand ballooning from $294 to $1,077, a 266% increase. Ransomware attacks have grown almost exponentially for several reasons:
The ransomware business model works, with the FBI stating that ransomware is on pace to become a one billion dollar source of income for cybercriminals in 2017;
Ransomware start-up costs are cheap. Ransomware software is readily and easily available – and is extraordinarily inexpensive. Ransomware is available for rent; for purchase or even in kits for building. Indeed, 60 percent of the Internet’s top sites sell ransomware; and
Ransomware schemes are typically successful. One recent study found that 70 percent of business victims paid the hackers to get their data back. Of those who paid, 50 percent paid more than $10,000 and 20 percent paid more than $40,000.
Ransomware attacks target the most vulnerable part of a company’s computer networks: people. The primary attack vector for ransomware is an employee who has clicked on a file or a linked he or she should not have clicked. That employee may be:
An accidental insider (e.g. an inattentive employee infiltrated due to inadvertent behaviors or broken business processes);
A compromised insider (e.g. a targeted employee via social engineering and infiltrated due to malware infections or stolen credentials); or
A malicious insider (e.g. a so-called bad leaver or criminal insider who infiltrate via corporate espionage and sabotage).
Ransomware is sometimes embedded in seemingly legitimate downloads such as software updates or resume files. Fake Adobe Flash updates are a notorious Trojan horse for delivering ransomware because Flash is such a ubiquitous add-on to most Internet browsers. Once inside a network, some ransomware can seed itself to additional computers or other devices via SMS messages or a user’s contact list.
What makes ransomware countermeasures challenging is the evolution of ransomware variants. There has been a tremendous increase in ransomware strains – reaching almost epidemic proportions. Indeed, new ransomware strains are now being created to tap into the mobile user base, which can impact both personal and business information, already dramatically expanding the ransomware threat landscape, diversifying and expanding their platforms, capabilities and techniques in order to accrue more targets.
Per recent reports, in the third quarter of 2011, about 60,000 new variants of ransomware were detected. That number doubled to over 200,000 in 2012; quadrupling to over 700,000 variants from 2014, to the first quarter of 2015. In the first quarter of 2016, security firm Kaspersky Lab revealed 2,900 new “modifications” of existing ransomware, a 14% increase from the last quarter, and a 30% increase from the previous quarter.
As the Internet of Things begins to establish a foothold in daily life, ransomware growth seems poised to become more severe and more widespread. Market forecaster Gartner expects 6.4 billion connected devices will surround us in the home and workplace this year, a $30 billion market by the year 2020. This growing network of Internet-connected household devices, from Samsung refrigerators to Nest thermostats, will undoubtedly render individuals and corporations increasingly vulnerable to ransomware attacks.
Recent Ransomware Attacks
While ransomware has beleaguered victim companies for much of the last decade, a recent global spate of ransomware attacks has prompted intense media coverage and worldwide apprehension and concern.
For instance, in April 2017, a ransomware group known as Shadow Brokers coopted a ransomware exploit (nicknamed Eternal Blue) from the U.S. National Security Agency, and took advantage of a Windows vulnerability, targeting a wave of hospitals. The ransomware extortion demands impacted more than just corporate operations and secrets; suddenly, a cyber-attack impacted the lives of sick hospital patients, prompting an almost international hysteria.
The vulnerability, patchable for new Microsoft systems but not necessarily for older systems upon which many hospitals were running, was dubbed “WannaCry” or “WannaCrypt” ransomware, and according to Europol, claimed over 200,000 victims in over 150 countries.
Similarly, in late June 2017, another strain of ransomware hit at least six countries, including and primarily Ukraine, where it was blamed for a large and coordinated attack on key parts of the nation’s infrastructure, from government agencies and electric grids to stores and banks. According to Microsoft, this outbreak, referred to as NotPetya – aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya and Diskcoder.C – resulted in “a less widespread attack” than WannaCry, aka WannaCrypt.
As a result of NotPetya ransomware, A.T.M.’s in the Ukraine apparently stopped working; workers were forced to manually monitor radiation at the old Chernobyl nuclear plant when their computers failed; and data security personnel at companies around the world — from Maersk, the Danish shipping conglomerate, to Merck, the drug giant in the United States — were reportedly scrambling to respond. Even an Australian factory for the chocolate giant Cadbury was affected.
Though more sophisticated than WannaCry and employing the same Eternal Blue server message block exploit, NotPetya’s global impact was reportedly blunted by its own limited attack capabilities (e.g. by a default setting, the infected system reboots after 60 minutes, and the malware does not persist after the reboot). “This means that the threat can only do lateral movement and exploitation of other machines during this limited time,” Microsoft says. “This reduced the reach of the attack.”
Law Enforcement and Ransomware: The Official View
The official line from federal law enforcement with respect to Ransomware is: Report the Incident and Don’t Pay. Specifically, the FBI warns:
“The FBI doesn’t support paying a ransom in response to a ransomware attack . . . Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. [B]y paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The FBI also warns that paying ransomware does not guarantee that a victim company will obtain from the attacker a working key to rescue their data. The FBI is aware of cases where either the attackers fail to hand over the correct decryption key or are unwilling to comply with the original ransomware demands after payment is received. According to Trend Micro research, nearly 33 percent of firms that pay the ransom when attacked by ransomware fail to get their data back. The FBI also urges ransomware victims to report ransomware attacks immediately and seek help from the FBI in handling the situation.
Along similar lines, during an emergency meeting to address the WannaCry ransomware attacks, Tom Bossert, Homeland Security Advisor to President Donald Trump, discussed the perils of ransomware payment, and warned that victims could still lose access to files even after making a payment:
“Well, the U.S. government doesn’t make a recommendation on paying ransom, but I would provide a strong caution. You’re dealing with people who are obviously not scrupulous, so making a payment does not mean you are going to get your data back.”
Law Enforcement and Ransomware: The Unofficial View
In some public settings, the FBI has warned that, without paying a ransom, victim companies may not be able to unlock their kidnapped data from ransomware attackers who use Cryptolocker, Cryptowall and other potent malware strains.
“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people to just pay the ransom . . . The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”
Indeed, the Ponemon Institute reported in a 2016 study that 48% of businesses victimized by ransomware paid the ransom (average ransomware payment being $2,500), while a similar IBM Security study found that 70 percent of business victims paid the ransom during that same period.
Even some law enforcement officials themselves have decided to cut their losses by paying off the purveyors of ransomware. For instance, in the Massachusetts townships of Tewksbury and Swansea, ransomware attackers made off with $500 and $750 bounties, respectively. Elsewhere, police departments in the Chicago suburbs of Midlothian and Dickson County, Tenn., also paid ransom amounts to ransomware attackers. That even law enforcement officials have opted to cut their losses by succumbing to, and paying off, ransomware attackers demonstrates how oddly commonplace ransomware payments have become.
Counsel as Quarterback for Ransomware Response
Ransomware is a crime, has significant regulatory implications and can involve important legal responsibilities and liabilities. At a minimum, ransomware schemes run afoul of the federal computer crime statute, 18 U.S.C. § 1030, and particularly subsection (a)(7), which forbids hacking intended to extort something of value from the victim.
Above all else, the legal ramifications of any ransomware incident or failure can be calamitous for any public or private company. Even the most traditional realms of IT dominion such as exfiltration analysis, malware reverse engineering, digital forensics, logging review and most technological remediation measures are rife with legal and compliance issues and a myriad of potential conflicts.
For instance, after a cybersecurity incident such as a ransomware attack, law enforcement, regulators, vendors, partners, insurers, customers and others may:
Request forensic images of impacted systems;
Demand copies of indicators of compromise;
Mandate that their own auditors or examiners visit sites of infiltration and conduct their own audit and investigation;
Want to participate in remediation planning;
Seek interviews and interactions with IT personnel;
Require briefings from a victim company’s forensic experts and data security engineers; or
Ask to attach a recording appliance to a victim company’s network in hope of capturing traces of attacker activity, should an attacker return.
These requests raise a host of legal issues, including how exactly to respond to each request and whether any response would violate the privacy of customers; be at odds with commercial agreements; result in a waiver of the attorney-client or work product privileges; or have any other legal/compliance consequences.
Because so many incident response issues are critical to the very survival of a company, who else but the GC can oversee and direct investigative workflow, commanding the investigation and remediation for the C-suite, sharing with senior management the ultimate responsibility for key decisions, while having the responsibility and duty of reporting to the company’s board.
Ransomware and the Attorney-Client Privilege
Attorney involvement, awareness, leadership, and direction are not the only essentials for managing the quagmire of legal issues arising during a ransomware response. GC involvement also triggers the protections afforded by the attorney-client and work product privileges, a critical component in the response to data security incidents.
The involvement and direction of counsel in the context of any investigation will presumably apply to the work product produced not only directly by the legal team members but also by the outside advisors, including the digital forensic investigators engaged by internal or outside counsel.
This is standard practice in the context of any other type of investigation – a cyber incident is no different. There is nothing nefarious or extraordinary about this approach, it is a time-honored and tested standard operating procedure. The involvement of counsel establishes a single point of coordination and a designated information collection point.
Counsel as quarterback of ransomware response also enhances visibility into the facts, improves the ability to pursue appropriate leads and, most importantly, ensures the accuracy and completeness of information before it is communicated to external audiences. Otherwise, incomplete and/or inaccurate information could be released, only to have to later be corrected or even retracted.
Ransomware Notification Requirements
Although typically involving locking up data (rather than accessing, targeting or exfiltrating data), a ransomware attack could still be deemed the type of data security incident which triggers a legal notification requirement, including notice to:
State regulators (per state privacy statutes, rules and regulations);
Shareholders (per SEC disclosure obligations);
Vendors, partners and other entities (Many companies now incorporate rigorous cybersecurity notification requirements into their contracts, which can trigger when a victim company experiences a ransomware attack.);
Insurance carriers (especially if a victim company plans to make an insurance claim, relating to the ransomware attack);
Customers (when the data of a customer, such as a hospital patient, is impacted by a ransomware attack, a victim company may have very specific legal obligations to notify that customer); and
Any other constituency who may have a vested interest in a victim-company.
With respect to state regulatory notifications there is some grey area worthy of mention. In the United States, 52 jurisdictions (including 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) have enacted some version of a data breach notification law. Under these laws, notification may be required for any customer whose personally identifiable information (PII) was acquired or accessed, or reasonably likely to have been acquired or accessed. While most states require some form of notice to their residents of a data breach, depending on applicable legal standards, some states also require notification to public agencies, such as the state attorney general.
The threshold issue is a technological one – probably best determined by a digital forensics expert and couched in legal terms. For instance, if the data is encrypted or otherwise “locked” through an automated process, companies could argue that the data was never accessed by an unauthorized party, which is the standard that typically triggers state breach notification laws.
On the other hand, though the mere encryption of data may not trigger the notification rules, the viewing, copying, relocating and altering of information can. Digital forensics and malware reverse engineering can provide some clue with respect to the impact of a ransomware attack and help assess some of the lesser state thresholds (such as in states like Connecticut, Florida, Kansas, Louisiana and New Jersey) where the definition of a breach also includes accessing of protected health information.
With respect to some of the more onerous and specific federal notification rules, such as under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), digital forensics analysis can also provide critical information relating to disclosure requirements. For instance, HHS rules generally state that hospitals need only report attacks that result in the exposure of private medical or financial information, such as malware that steals data. Whether ransomware’s data encryption crosses that legal threshold can be challenging to determine, which is why ransomware attacks and other data security incidents at health care organizations often go unreported.
In addition, under the new EU General Data Protection Regulation, effective May 25, 2018, there is a requirement to notify the supervisory authorities without undue delay (no later than 72 hours) after becoming aware of a data breach, unless it is unlikely to cause a risk to the affected individuals. The fines for violating this regulation are significant—up to 4% of global annual turnover or €20 million (whichever is the higher), so any late notification will need to be justified.
Ransomware Investigative Tactics
While determining the bona fides of a ransomware strain is always challenging, an experienced digital forensic examiner can find some answers by searching for some of the more typical cyber-indicators. Ransomware malware is characteristically a type of tool, which is not only known to most professionals, but may even be readily available for purchase online. If the name and modus operandi of the ransomware is new or otherwise unknown, rather than a victim firm being “patient zero,” the ransomware may turn out to be bogus.
Digital forensic experts can also research the Bitcoin payment address; the malware message; any relevant phishing emails; and any other of the ransomware’s characteristics in data security research forums and internal archives, to analyze recent commentary about the ransomware and test its efficacy and validity.
There are also a range of digital forensics tests to initiate upon an infected file to assess a ransomware strain’s actual efficacy. For instance, one simple test is to return the file name to its original form. Real ransomware changes the file extension of encrypted files. The Ransomware files may not be encrypted but just renamed to provide the illusion of encryption to cajole a ransom payment. A digital forensics expert can also investigate the severity of the attack; reverse-engineer the malware that has taken control of victim data; and attempt a full-fledged data recovery.
Ransomware Payment
In cases where a particular ransomware attack cannot be fully mitigated, an experienced digital forensics firm can broker and validate a solution that minimizes the cost of recovery and prevents further extortion from the attacker.
Paying off the ransomware attackers typically entails: 1) sending the secret ransomware key file now stored on the victim’s computer; 2) uploading that file (or data string) to the attackers together with a Bitcoin payment; and 3) awaiting a decryption key or a tool a victim can use to undo the encryption on the victim company files. This is a complex and challenging process.
First off, a digital forensics firm can help a ransomware victim navigate the maze of setting up an account to handle Bitcoin, getting it funded, and figuring out how to pay other people with it. A digital forensics examiner may even be able to construct a payment scheme where rendering ransomware payments is conditional. By using cryptocurrency features to ensure that ransomware attackers cannot receive their payment unless they deliver a key, there can exist some added level of security and reliability upon the transaction. One ransomware response expert, notes:
“ . . A ransomware developer could easily perform payment via a smart contract script (in a system like Ethereum) that guarantees the following property. This payment will be delivered to the ransomware operator if and only if the ransomware author unlocks it — by posting the ransomware decryption key to the same blockchain.”
Ransomware attackers may portray the entire ransomware payment process as more akin to an ordinary business transaction than an international extortion scheme. In fact, some recent ransomware attackers purportedly even offer a victim company a discount if the victim company transmits the infection to other companies, just like referral programs of Uber or Lyft.
However, while a ransomware payment process may seem straightforward and rudimentary, the reality is far more complicated and rife with challenges. No ransomware payment process can guarantee that the ransomware attacker will provide a decryption key. The ransomware scheme may be nothing more than a social engineering ruse, more like an old fashioned Nigerian Internet scam than a malware infection – and the payment could end up being all for naught.
Indeed, ransomware attackers may no longer have the encryption key or may just opt to take a ransom payment, infect a company’s system, and flee the crime scene entirely. Not only is the system of paying in untraceable Bitcoin risky, but the transaction in its entirety is so risky, it hardly seems palatable. Nonetheless, the number of victim companies that pay ransomware demands continues to grow at an alarming rate.
The Legalities of Ransomware Payment
Though the FBI has hinted at the possible illegality of paying a ransomware demand, the FBI has never specifically stated that the payer could actually be charged with a crime. It would seem rather obvious that with respect to any criminal statute, actions taken under duress do not ordinarily constitute a crime. Moreover, the ransomware attacker possesses the criminal intent, not the victim who agrees to pay. However, there is little specific legal authority on the subject of payment and negotiation with ransomware attackers, so the legalities of payment are worthy of some analysis.
In general, legal commentary and case law regarding ransom payments is limited. However, in a germane 2011 British case, Masefield AG v Amlin Corporate Member Ltd (The Bunga Melati Dua), relating to maritime piracy and ransom demands for safe return of the vessel and crew, the court faced a somewhat analogous scenario. Specifically, the British Court of Appeal held that there was no general public policy argument against paying ransoms, stating that:
“…there is no universal morality against the payment of ransom, the act not of the aggressor but of the victim of piratical threats, performed in order to save property and the liberty or life of hostages. There is no evidence before the court of such payments being illegal anywhere in the world. This is despite the realization that the payment of ransom, whatever it might achieve in terms of the rescue of hostages and property, itself encourages the incidence of piracy for the purposes of exacting more ransoms. (Perhaps it should be said that the pirates are not classified as terrorists. It may be that the position with regard to terrorists is different).”
Though addressing hostage ransoms, and not ransomware, former President Barak Obama provided a similar message in his Statement by the President on the U.S. Government’s Hostage Policy Review (June 24, 2015):
“I firmly believe that the United States government paying ransom to terrorists’ risks endangering more Americans and funding the very terrorism that we’re trying to stop. And so I firmly believe that our policy ultimately puts fewer Americans at risk. At the same time, we are clarifying that our policy does not prevent communication with hostage-takers — by our government, the families of hostages, or third parties who help these families . . . In particular, I want to point out that no family of an American hostage has ever been prosecuted for paying a ransom for the return of their loved ones. The last thing that we should ever do is to add to a family’s pain with threats like that.”
Ransomware and the FCPA
The Foreign Corrupt Practices Act of 1977 (FCPA) prohibits payments to foreign government officials to assist in obtaining or retaining business or directing business to any person. Laws such as the FCPA reflect an alternative approach to deterring bribes, by penalizing those on the payment side of the transaction.
Specifically, the FCPA prohibits giving something of value for the purpose of: “(i) influencing any act or decision of [a] foreign official in his official capacity, (ii) inducing such foreign official to do or omit any act in violation of the lawful duty of such official, or (iii) securing any improper advantage … to obtain or retain business for or with … any person.” The law provides an affirmative defense for payments that are “lawful under the written laws and regulations” of the country.
Given the FCPA threshold requirement that a payment must be made to assist in obtaining or retaining business for the individual or company or directing that business to another person, a ransomware scenario does not appear to trigger the FCPA.
However, FCPA’s enforcement can provide a useful analogy when considering the legalities of paying a ransomware demand. U.S. companies often face extortionate demands from foreign police, bureaucrats, and regulators, who threaten to hold, expel, or even harm employees if ransoms are not paid. And there have always been questions whether those involuntary payments can violate the FCPA. The DOJ-SEC Guidance on FCPA addresses this issue, stating:
“Does the FCPA Apply to Cases of Extortion or Duress? Situations involving extortion or duress will not give rise to FCPA liability because a payment made in response to true extortionate demands under imminent threat of physical harm cannot be said to have been made with corrupt intent or for the purpose of obtaining or retaining business.”
This notion, that under FCPA an individual is not guilty of a criminal offense when forced to do so by duress or extortion, is confirmed in United States v. Kozeny, 582 F.Supp.2d 535, 540 (S.D.N.Y. 2008). Specifically, in the Kozeny decision, the United States District Court for the Southern District of New York ruled that extortion or duress under the threat of imminent physical harm would excuses the conduct (essentially negating a corrupt intent), stating:
“ . . . while the FCPA would apply to a situation in which a “payment [is] demanded on the part of a government official as a price for gaining entry into a market or to obtain a contract,” it would not apply to one in which payment is made to an official “to keep an oil rig from being dynamited,” an example of “true extortion.” The reason is that in the former situation, the bribe payer cannot argue that he lacked the intent to bribe the official because he made the “conscious decision” to pay the official. In other words, in the first example, the payer could have turned his back and walked away—in the latter example, he could not.”
Whether the “economic duress” of a typical ransomware attack would rise to the level of “true extortion” as described in the Kozeny decision remains untested, and might be viewed as insufficient to excuse conduct from sanctions under the FCPA.
The FCPA could also potentially apply in ransomware scenarios where the cyber-criminal has a known connection to a foreign government. While the concealed identity of cyber-criminals involved in ransomware attacks likely prevents a payer from knowing that a payment violates the FCPA, the issue could still arise when a digital forensic expert identifies a ransomware attacker’s modus operandi to be that of a state sponsored organization (e.g. from Russia, North Korea or Iran).
Foreign Sanctions and Ransomware
Like the FCPA, international sanctions regimes are also designed to prevent payments to certain designated payees, institutions, and countries who are enemies of the U.S, such as terrorists and terrorist organizations. In the United States, the Treasury’s Office of Foreign Asset Controls (OFAC) supervises these programs, such as the Trading with the Enemy Act and the International Emergency Economic Powers Act (IEEPA).
Under these Acts, ransom payments (whether directly or indirectly through an intermediary) to Foreign Terrorist Organizations (FTOs) or Specially Designated Global Terrorists (SDGTs) identified by OFAC, are illegal under U.S. law. Monetary contributions to FTOs are considered material support under 18 U.S.C. 2339B, while transfers to SDGTs are violations of economic sanctions imposed pursuant to the IEEPA.
For example, in a February 2017 cyber-attack against the British National Health System, the attackers appeared to be ISIS and in particular, the Tunisian Falange Team, which posted graphics and pictures decrying at the war in Syria. Whether a similar attack against a U.S. hospital, with a similar evidentiary trail indicating terrorist attribution, would trigger the limitations imposed OFAC is unclear and untested. However, any digital forensic findings of a ransomware attack indicating terrorist attribution or involvement is certainly worthy of consideration when contemplating a ransomware payment.
Ransomware and Conspiracy
Whether a payer of a ransomware demand can be held to have entered into a conspiracy with the ransomware attacker seems unlikely and contrary to the public interest. A conspiracy is an agreement with another that a criminal course of conduct is to be pursued. Ransomware payments do not appear to be the kind of agreements contemplated by conspiracy statutes, but instead are forced arrangements dictated by a ransomware attacker.
However, other profiting and culpable participants in the Bitcoin payment scheme to pay a ransomware attacker might find themselves facing criminal penalties. Anthony Murgio, who recently pled guilty to operating as a money transmitter without a license in 2015, was also charged with violating Title 18 U.S.C., Section 1030(a)(7) and sentenced to 5 ½ years in prison. Federal prosecutors alleged that Murgio and his co-conspirators benefitted from transactions providing victims with Bitcoin to pay off ransomware demands. The Murgio indictment states:
“As part of the unlawful Coin.mx scheme, Anthony P. Murgio, the defendant, and his co-conspirators knowingly processed and profited from numerous Bitcoin transactions conducted on behalf of victims of ransomware schemes…By knowingly permitting ransomware victims to exchange currency for Bitcoins through Coin.mx, Murgio and his co-conspirators facilitated the transfer of ransom proceeds to the malware operators while generating revenue for Coin.mx.”
Unlike a ransomware payer, Murgio was a part of the payment process and clearly facilitated the ransomware transactions with unclean hands – possessing the kind of felonious intent required for money laundering criminal liability. Crypto-currency sellers or exchange operators may be caught up in legal trouble if: they have avoided or neglected reporting requirements or have not registered as a money transmission business (like Murgio), or, if they were criminally complicit with the ransomware attackers.
The distinction seems clear: if a Bitcoin seller actively aided and abetted a ransomware attacker, knowingly profiting from the scheme, the Bitcoin seller could be criminally liable. However, if a digital forensics firm made Bitcoin available to a client and provided technical advice as to how to pay in Bitcoin, then, like Thomas Clayton in Proof of Life, criminal liability seems wholly inappropriate.
Ransomware: To Pay or Not To Pay
For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, does not appear to break any laws – and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination — almost like a cost-benefit analysis.
The arguments for rendering a ransomware payment include:
Payment is the least costly option;
Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up);
Payment can avoid being fined for losing important data;
Payment means not losing highly confidential information; and
Payment may mean not going public with the data breach.
The arguments against rendering a ransomware payment include:
Payment does not guarantee that the right encryption keys with the proper decryption algorithms will be provided;
Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime;
Payment can do damage to a corporate brand;
Payment may not stop the ransomware attacker from returning;
If victims stopped making ransomware payments, the ransomware revenue stream would stop and ransomware attackers would have to move on to perpetrating another scheme; and
Using Bitcoin to pay a ransomware attacker can put organizations at risk. Most victims must buy Bitcoin on entirely unregulated and free-wheeling exchanges that can also be hacked, leaving buyers’ bank account information stored on these exchanges vulnerable.
Ransomware Remediation
There are a slew of basic steps companies should take as preemptive measures to avoid falling prey to ransomware, including backing up systems and employing the latest cybersecurity measures. Other measures include:
Updating operating systems, software patching, antivirus programs and firewalls;
Taking steps to detect and block ransomware through firewalls and intrusion detection monitoring, including setting alerts for anomalous behavior;
Revisiting backup protocols to ensure that a crypto-attack is classified as a potential disaster with appropriate contingency plans;
Enabling popup blockers;
Employing IT professionals or consultants familiar with ransomware, who stays current with evolving iterations and variants; and
Implementing a strong password policy requiring all users to regularly change passwords and require more complex passwords, i.e. mixture of lower and uppercase letters, numbers, and symbols;
Reviewing and auditing all network permissions in your network while updating and deactivating all user accounts regularly, including departing employees;
Rigorous employee education and outreach;
Securing long and short-term backups, stored in a manner detached from a company’s network;
Intense screening of partners and vendors to ensure strong security procedures from associated third parties;
Thoughtfully and securely segmenting sensitive user and corporate data within a corporate network; and
Changing network and Wi-Fi passwords regularly.
Along the same lines, the FBI urges organizations to be vigilant keeping browsers, operating systems and third-party application patch levels up to date, and that antivirus protection is also current. The FBI also suggests companies back up often, lock down access granted to individuals and manage configuration of file systems, directories and network shares appropriately.
By setting snares and “honeypots” for would-be ransomware attackers, companies can go so far as to employ drastic and direct preemptive measures. For example, Deception Technology sets its trademarked HackTraps to misdirect ransomware attackers and prevent them from going deeper into a corporate network and reaching their intended target. These traps can be as simple as a document with a deceiving title that was created exclusively to lure in the cybercriminals.
A digital forensic expert can also help a victim company develop and implement a containment plan to isolate any additional infections and provide strategic recommendations to prevent further ransomware attacks and otherwise mitigate their impact.
It may be hard to believe, but when handled correctly, a customer data compromise or data security incident like a ransomware attack can actually become the kind of successful failure that not only prompts remediation that strengthens technological infrastructure, but also reinforces a firm’s commitment and focus upon its customers, partners and other fiduciaries.
Ransomware and Business Continuity Plans
The critical importance of a business continuity plan in the event of a natural disaster is widely recognized and accepted. Yet, too often, such plans are not evaluated in the context of assessing cybersecurity risks such as ransomware.
Even when an organization’s IT cybersecurity response fully aligns to IT best practices, there are benefits in utilizing or integrating IT’s response into the existing business continuity structure, rather than having two separate response models. Speed and agility are key enablers in ransomware response, and business continuity enables nimble, rapid response limiting financial and reputational impact on the enterprise.
A powerful business continuity plan, which is properly integrated with an incident response plan, contemplates the threat of ransomware and plans for data recovery, such as with specialized back-up data systems that are routinely tested and updated as necessary.
Ransomware and Cyber Insurance
Like any other corporate risk, companies are beginning to realize that the financial, operational and even reputational risks of a ransomware attack can be addressed via a comprehensive and targeted cyber insurance policy. Over 60 insurance companies now offer cyber insurance, many containing specific provisions addressing ransomware. In 2015, ransomware accounted for just over 10% of cyber insurance claims, but in 2016 that figure grew to 25%.
Currently, most cyber insurance policies are modular, which means an organization chooses from a menu of coverage options, such as business interruption, third party liability for privacy breaches and first party coverage for an organization’s own costs to detect, stop, investigate and remediate a network security incident.
Ransomware typically falls under “first party” liabilities as cyber extortion and network interruption. When making a cyber insurance claim for ransomware, a victim company should be prepared to demonstrate that: the ransom has been surrendered under duress; the incident is not a hoax; there was c-suite participation in the ransomware payment decision; the insurance company approved of the ransomware payment plan; and the ransomware attack was reported to law enforcement.
Making an insurance reimbursement claim for a Bitcoin payment is also tricky, even with respect to valuation and execution. Challenges include proving to an insurance company: that a Bitcoin payment was made; that a Bitcoin payment was for a particular amount of U.S. dollars; and that a Bitcoin transaction was documented in an acceptable and verifiable manner.
Thus, a ransomware victim company may have to engage a professional intermediary to pay the attackers, and then seek reimbursement for the fees paid to the digital intermediary. Otherwise, an insurer might have no way to audit a process involving Bitcoin and therefore refuse to recompense Bitcoin payments. Cyber insurance might also not cover the full amount of the ransomware or may have in place a high deductible amount (for large organizations the deductible could be $500,000 or as high as $5 million).
Without a specific ransomware cyber insurance policy, a victim company would have to look to the breadth of their professional liability and other insurance policies, which can give rise to ambiguities and disputes. For example, the presence of any sort of terrorism exclusion can become problematic. For instance, insurance policies may have “acts of foreign enemies” or “government acts” exclusions that can limit reimbursement if the ransomware was distributed by cyber-attackers tied to a foreign government;
In addition, whether a ransomware victim company must show “physical damage” can also become an issue. In the typical ransomware scenario, a victim company’s data is not actually damaged but is rather, “locked.” An insurance company may argue that like other cyber-attacks, where a victim’s data was accessed, but not otherwise disturbed, altered or exfiltrated, then the victim has no insurance claim; and
Some companies who do not have cyber insurance, may turn to their kidnap insurance for coverage relating to ransomware attacks. Kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas of danger, such as where violence related to oil and mining operations is common (like parts of Africa and Latin America).
K&R policies, which typically do not have deductibles, can cover the ransom payments as well as crisis response services, including getting in touch with criminal and regulatory authorities. Whether K&R coverage, which was not designed for ransomware, will cover ransomware costs and expenses will always be a matter of the specific policies involved.
To get the most out of cyber coverage for ransomware attacks, companies should work closely with their brokers, their insurers, their outside counsel and their own internal experts and executives to fully understand their particular ransomware risks. For now, the most effective cyber insurance policies are bespoke, and given the rapidly evolving nature of cyber-attacks, will continue to require custom-tailored fitting for quite some time.
Just like other kinds of insurance, ransomware coverage by itself will rarely be enough to make a company whole after a cyber-attack, but it can provide critical financial resources. Moreover, when coupled with a thoughtful and diligent incident response, a sound ransomware insurance policy can send a powerful message of strong business acumen; fierce customer dedication; and steadfast corporate governance, demonstrating profound expertise to the marketplace, shareholders, regulators and the many other interested corporate stakeholders.
Final Thoughts
When confronted with a ransomware attack, the options all seem bleak. Pay the hackers – and the victim may not only prompt future attacks, but there is also no guarantee that the hackers will restore a victim’s dataset. Ignore the hackers – and the victim may incur significant financial damage or even find themselves out of business. The only guarantees during a ransomware attack are the fear, uncertainty and dread inevitably experienced by the victim.
Even under the best-case scenario, where a victim has maintained archives and can keep their business alive, the victim companies will incur significant remedial costs, business disruptions and exhaustive management drag. Moreover, having a back-up storage solution in place is not always ideal; not only can outside storage of data create additional cybersecurity risks, but sometimes data archives are more like the proverbial roach motel, where data checks in but it can’t check out.
No doubt that the ease, anonymity and speed of crypto-currency payments such as Bitcoin, has revolutionized the ransomware industry, prompting its extraordinary growth. Bitcoin not only makes it simpler to remain anonymous, but also enables a nameless payment mechanism where the extorted funds can be immediately transferred into criminal hands.
Transactions in crypto-currencies like Bitcoin lack a discernable audit trail and operate outside of regulated financial networks and are alarmingly unregulated. There is no central issuer of Bitcoins, nor a Federal Reserve of Bitcoins monitoring and tracking transactions or controlling their value. In short, government surveillance and regulation of cryptocurrency is virtually nonexistent (no pun intended) and so long as crypto-currency payment schemes exist, ransomware attacks and iterations will likely continue to thrive.
Though too early to tell, there may emerge some form of Bitcoin regulation via Executive Order No. 13,694 (April, 2015), which expands sanctions to include “blocking” the property of persons engaging in “Significant Malicious Cyber-Enabled Activities.” The order declares a “national emergency” to deal with cyber-enabled threats and extends to the assets of those who “have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any [malicious cyber-enabled activities].”
Given that ransomware Bitcoin payments are made to cyber criminals, per Executive Order 13,694, the U.S. Secretary of the Treasury, the U.S. Attorney General and/or the U.S. Secretary of State could freeze or “block” assets of any participant in the Bitcoin financial chain. Such dramatic government intervention could discourage the purveyors of ransomware attacks, who depend upon Bitcoin for receiving payments.
The government could also take additional steps to combat ransomware such as:
Providing financial incentives for private investment in ransomware prevention and remediation technologies;
Speaking more boldly discouraging ransomware payments that monetize crime, perhaps via the Financial Crimes Enforcement Network (FinCen) or via a task force of state and federal law enforcement agencies; or
Creating new legal penalties for ransomware payments in a manner similar to the FCPA, rendering the option of paying ransom costlier, thus nudging firms toward choosing greater security.
But these government measures are theoretical and even if implemented, might still not sojourn the dramatic growth of ransomware. The reality is that when it comes to ransomware attacks, the government seems idle and relatively powerless, which means ransomware victims are unfortunately on their own. So what should companies do to manage the increasing risk of the current ransomware crime wave?
As would probably be preached by Thomas Clayton (or Russell Crowe), companies struggling with ransomware threats should apply the same lessons to ransomware protection that Clayton uses for employee protection: Be prepared (e.g. deploy back-ups and the like); Be thoughtful (e.g. use professionals to implement preemptive measures and help handle the response); and Be vigilant (e.g. never underestimate the impact of ransomware and never take the threat lightly).
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook,” available as an eBook on Amazon, iBooks and other booksellers.
The post Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance appeared first on The D&O Diary.
Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance published first on http://ift.tt/2kTPCwo
0 notes