1. Home
  2. |Insights
  3. |A Ransomware Attack Primer: What You Need to Know and What Crowell Can Do to Help

A Ransomware Attack Primer: What You Need to Know and What Crowell Can Do to Help

Client Alert | 4 min read | 06.17.21

As recently as six months ago, ransomware was the domain of CISOs (chief information security officers) and cybersecurity lawyers. But in the wake of high-profile attacks by Russian-based cybercriminals on Colonial Pipeline, operator of the country’s largest refined fuel pipeline, and JBS Foods, the world’s largest meat processor, ransomware jumped to the top of the agenda for President Biden’s meeting with Russian President Vladimir Putin this week. These high-profile incidents have shown that ransomware attacks are a significant business/operational and legal risk for global companies. Colonial Pipeline paid $5 million to resolve its attack, JBS $11 million, and the group responsible for an attack on Acer is demanding $50 million.

This is not just a matter of a few victims making the news. Security vendor Chainalysis reported a 311% spike in total amounts paid by victims in 2020 compared to 2019, with no signs the trend is slowing.  Sophos recently reported that more victims are paying the ransoms and that attackers are increasingly coupling extortion with encrypting files, among other findings.

U.S. government officials have also made it clear that ransomware attacks now take their place alongside supply chain attacks, cyber-theft, and disinformation campaigns as a significant national security threat in the digital age. The DOJ announced the creation of a ransomware task force earlier this year in response to the surge of ransomware attacks during the pandemic. FBI Director Christopher Wray said the national security threat currently posed by ransomware is similar in scale to that of the terrorist attacks of September 11, 2001. According to the FBI Director, the Bureau is currently tracking close to 100 different types of ransomware, with many of the strains tied to criminal hackers in Russia. And the White House has emphasized the importance of industry taking immediate action to guard against ransomware attacks.

In light of these threats, the U.S. government has issued alerts and guidance, and is standing up task forces and other efforts focused on the threat. For example, a recent CISA alert sets out best practices for preventing business disruption from ransomware attacks, and the White House has also reportedly issued guidance to the private sector. Importantly, these actions represent more than just helpful advice; they are also likely defining what will be a new minimum standard of care that companies are expected to meet. 

There may be other implications as well, such as potential sanctions and anti-money laundering (AML) risks associated with paying ransoms that are described in guidance from OFAC and FinCEN, respectively. The blockchain analysis company Chainalysis has estimated that 15% of all ransomware payments in 2020 went to attackers on the U.S. Office of Foreign Asset Control’s sanctions list. Moreover, these ransoms are typically paid out in cryptocurrency, further increasing the sanctions and AML risks.

The good news is that, although ransomware incidents are increasing, they need not be catastrophic for a business. Rather, advance preparation, proper crisis management, timely remedial action, accurate assessments of harm, and, when appropriate, effective communications including notifications to government and affected individuals, can significantly mitigate the business impact of these incidents.

Crowell & Moring is well-positioned to help you prepare for and respond to ransomware attacks. In these crisis situations, our cybersecurity team is on the ground providing support at every stage, from initial internal investigation and risk management, through making notifications where appropriate, and, if necessary, government enforcement actions and litigation. We also work with technical consultants when appropriate through relationships structured to help maintain confidentiality and privilege for forensic investigations.

  • REvil/Sodinokibi
  • DarkSide
  • Maze
  • Ryuk
  • Suncrypt
  • DoppelPaymer
  • Netwalker
  • Cryptolocker
  • SNAKE
  • CL0P
  • WannaCry
  • NotPetya
  • Multiple novel ransomware strains and emerging threat actor groups

Crowell & Moring’s cybersecurity team also works closely with other practice groups at the firm that have relevant experience with the wide range of issues raised by ransomware attacks, including International Trade, Insurance/Reinsurance, Government Contracts, White Collar, National Security, and Financial Services.

If you need help assessing your ransomware preparedness or are the victim of an attack, please contact any of the Crowell & Moring lawyers listed below. We have also created a checklist for responding to a ransomware attack.

Insights

Client Alert | 8 min read | 12.20.24

End of Year Regulations on Interoperability

Federal policy efforts to advance health data exchange and interoperability are continuing to change rapidly. The latest changes are the publication of two final rules by the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) finalizing parts of the of the Health Data, Technology, and Interoperability (HTI-2) Proposed Rule. These rules adopt requirements regarding the Trusted Exchange Framework and Common Agreement (TEFCA) (HTI-2 Part 1), and create a new Information Blocking exception under Protecting Care Access (HTI-2 Part 2), on December 16th and 17th, respectively....