Tech Transactions & Data Privacy 2022 Report: Ransomware Playbook for 2022: Four-Point Plan from the Biden Administration
The ongoing ransomware threat continued to capture headlines in 2021, with sophisticated attacks shutting down key sectors of the U.S. economy. A stepped-up federal response, drawing upon public and private sector resources, has been rolled out by the Biden Administration.
What happens in a ransomware attack?
In a successful ransomware attack, criminals (typically referred to by privacy professionals as “threat actors”) begin their attack by quietly finding a virtual open door into a victim’s computer network, such as a vulnerability in the victim’s remote connection tools. Once inside, the threat actors move about the victim’s network undetected, learning as much as they can about the network’s configurations and, in many cases, where “monetizable” or other valuable or irreplaceable information is stored. After surreptitiously extending their reach to as much of the victim’s network as possible, the threat actors often steal a copy of data identified as valuable, just before deploying malware that causes all files within its reach to be rendered unreadable (i.e., to be “encrypted”). The threat actors typically drop a virtual ransom note on affected devices, declaring to the victim that it has been attacked and instructing the victim to contact the threat actor and make payment if it (1) ever wants to see its data again, (2) ever wants to re-start or unencrypt frozen data or systems, and/or (3) does not want its sensitive data published on the Dark Web. Although scenarios and outcomes can vary widely, the threat actor is typically motivated by financial gain and has done enough reconnaissance of the victim to understand the types of disruptions and economic loss that can be imposed or threatened to secure such gain.
How was 2021 different?
Ransomware reached the front pages in 2021 and stayed there through two major attacks that caused harm far beyond the targeted company. The oil and gas sector led the way in May 2021 when threat actors shut down operations at Colonial Pipeline – one of the largest gasoline pipeline operators in the country. The outage forced Colonial to shut down operations temporarily, including gasoline shipments to distributors and retailers across the Eastern United States. Markets and consumers took notice, prompting supply constraints, price volatility and innumerable disruptions and economic harms and dislocations over a two-week period.
The meat-processing industry followed the next month, with a ransomware attack on JBS, the world’s largest meat processing company, quickly spiraling into shutdowns and other dislocations for farmers, processors and retailers, as well as restaurants and consumers.
These mid-2021 attacks were the most visible of an ever-increasing trend of ransomware attacks with national and international significance, and daunting implications for consumers, public safety and national security.
What is the current federal government strategy to fight ransomware?
The Biden Administration has indicated that combatting ransomware is among its national security priorities. While the federal sector has long been engaged in the fight against ransomware, October 2021 brought renewed and coordinated efforts by Executive Branch agencies as well as a sizable counter-ransomware coalition, which was convened by the United States in a first-ever 30-nation ransomware summit on October 13-14, 2021. The U.S. Government’s four-part counter-ransomware program was outlined on the eve of the conference, as follows (https://www.whitehouse.gov/briefing-room/statements-releases/2021/10/13/fact-sheet-ongoing-public-u-s-efforts-to-counter-ransomware):
Disrupt Ransomware Infrastructure and Actors: The Administration is bringing the full weight of U.S. government capabilities to disrupt ransomware actors, facilitators, networks and financial infrastructure.
Bolster Resilience to Withstand Ransomware Attacks: The Administration has called on the private sector to step up its investment and focus on cyber defenses to meet the threat. The Administration has also outlined the expected cybersecurity thresholds for critical infrastructure and introduced cybersecurity requirements for transportation critical infrastructure.
Address the Abuse of Virtual Currency to Launder Ransom Payments: Virtual currency is subject to the same Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) controls that are applied to fiat currency, and those controls and laws must be enforced. The Administration is leveraging existing capabilities, and acquiring innovative capabilities, to trace and interdict ransomware proceeds.
Leverage International Cooperation to Disrupt the Ransomware Ecosystem and Address Safe Harbors for Ransomware Criminals: Responsible states do not permit criminals to operate with impunity from within their borders. The Administration is working with international partners to disrupt ransomware networks and improve partner capacity for detecting and responding to such activity within their own borders, including imposing consequences and holding accountable those states that allow criminals to operate from within their jurisdictions.
This approach has drawn international support but will undoubtedly take time to produce concrete results. There are early signs of progress, however, at least on the U.S. law enforcement front. In Summer 2021, the U.S. Department of Justice announced a new task force aimed at stopping future attacks, known as the Ransomware and Digital Extortion Task Force. And, in the Colonial Pipeline case, the Justice Department used its threat intelligence resources to recover a portion of the ransom payment from the criminal group allegedly responsible for the attack. In another widely publicized ransomware incident involving the software company Kaseya, the Justice Department recently unsealed indictments against a Ukrainian national accused of helping conduct the attack. While these outcomes show promise and may be grounds for a somewhat guarded level of optimism, they remain the exception from prevailing trends. More often, ransom payments are not recovered, and individuals responsible for attacks cannot be located or identified, let alone prosecuted.
Until ransomware attackers are interdicted or deterred, what can businesses do?
In the meantime, in this ever-changing threat landscape, the bottom line for business leaders is: (1) to take all feasible measures to prevent an attack (e.g., frequently reviewing the cybersecurity procedures that both you and your vendors have in place); (2) to maintain and test a comprehensive incident response plan that contemplates legal and law enforcement involvement and that can be engaged as soon as an attack is discovered; and (3) to position yourself to increase cyber resilience and reduce the risk of needing to pay a threat actor if a ransomware attack does occur (e.g., maintaining robust and segregated file backups that can be rolled out if working copies are encrypted).