When ransomeware strikes: Navigating risks and regulatory responses

@Filip Brokes

Ransomware attacks are affecting millions of organisations worldwide. What is the correct response when someone breaks into your organisation’s IT system, encrypts critically important data and demands a ransomware payment in exchange for an encryption key? Besides the obvious information security and business continuity concerns, there are other important aspects to consider, such as the risks posed by international sanctions and the European Union’s General Data Protection Regulation

While most people know what a phishing email looks like, they may not have direct experience or understanding of a ransomware attack. In basic terms, a ransomware attack occurs when a malicious actor – for example a criminal hacker group – implants malware onto an individual or organisation’s IT system, encrypting files and thereby effectively locking the content. The malicious actor then typically demands a ransom payment in return for the decryption key.

The loss of critical infrastructure, especially for companies, which today rely on computer systems for everything from stock inventories to staff salaries, can be devastating, often resulting in a complete business shutdown.

Some people or businesses might think that they are simply not important enough for a hacker group to bother going to such lengths. But these incidents are occurring with increasing frequency, affecting entities of all sizes.

According to a recent report from UK cybersecurity firm Sophos, ransomware is the biggest cyber risk facing organisations today. In early 2023, the firm carried out a survey across 14 countries, asking cybersecurity professionals if their organisation had been hit by ransomware; while “only” 51 percent of those surveyed were affected in 2020, some 66 percent were subject to a ransomware attack in 2023.[1]

This increasing trend was underscored by a recent report by blockchain data platform Chainalysis, which showed that cyber criminals had extorted at least USD 449 million from their victims during the first six months of 2023, compared to USD 300 million during the same period of 2022. According to Chainalysis data, attacks on both large and small enterprises grew in volume in 2023.[2]

The size of ransomware payment demanded by criminals may differ vastly, depending on the type of implanted malware and size of the hacker group. With certain types of malware, requiring little expertise and effort, attackers might demand as little as USD 300 from their victims. However, with more sophisticated operations, ransom demands may reach USD 2 million.

The skill levels of cybercriminals can also vary significantly, with some groups able to operate with only very little technical expertise. This is due to the prevailing business model around ransomware, known as ransomware as a service (RaaS). This model allows cybercriminals to purchase malware from developers to carry out attacks in exchange for a small, fixed cut of the proceeds. The market for such services – mostly found on the dark web – is reportedly highly developed, with some RaaS kits featuring 24/7 support, bundled offers and even user reviews. The price for such kits can be as low as USD 40 per month.[3]

Who is behind the attacks?

According to data from Ransomware, an open source Ransomware payment tracker, the most successful criminal group in terms of extracted ransomware payments is Conti, with a total amount exceeding USD 100 million; Conti is followed by Cuba (USD 60 million), Netwalker (USD 27 million), Locky (USD 14 million) REvil (USD 12 million), RagnarLocker (USD 10 million) and DarkSide (USD 9 million).[4]

With the exception of RagnarLocker, all of these groups are reported to have either been based in Russia or have Russian-speaking members. Conti – by far the most prominent – is reportedly led by Russia-based actors and was first observed around February 2020. Notable operations by the group include attacks on the Japanese multinational electronics company JVC Kenwood, Ireland’s Health Service Executive and the Costa Rican government. Following the invasion of Ukraine in February 2022, the group released a statement supporting Russian military action.[5]

There have long been suspicions that the Russian state is covertly co-operating with disruptive cyber-criminals. Analysis conducted by the US Financial Crimes Enforcement Network (FinCEN) between July and December 2021 concluded that 75 percent of ransomware related incidents were “linked to Russia, its proxies, or persons acting on its behalf”.[6]

The links between prominent cybercrime groups and the Russian state blur the boundaries between profit-oriented private enterprises and state-sponsored operations.

In a more recent study published in July 2023, Stanford University’s Karen Nershi and Shelby Grossman analysed a dataset of 4,194 ransomware victims, concluding that Russia-based ransomware groups increased attacks before elections in several democratic countries. The same researchers also found that companies that withdrew from Russia following the invasion of Ukraine were more likely to be targeted, suggesting potential political motivations for the attacks.

The study concluded that the Russian government “maintains an informal cooperative relationship with those groups by providing safe harbor from prosecution and receiving plausible deniability for attacks and skilled cyber actors”.[7]

United States’ sanctions-heavy approach  

The US Treasury’s Office of Foreign Assets Control (OFAC) has long recognised that ransomware is not simply a form of an online crime, but also an international security threat in light of cybercriminals’ suspected ties to state actors.

OFAC has been targeting both individuals and cybercrime groups with sanctions since 2016, when it designated Evgeniy Mikhailovich, the developer of Cryptolocker, a ransomware variant that was used to infect more than 234,000 computers, mostly in the US.[8] Since then, OFAC has sanctioned dozens of individuals and organisations in connection with ransomware attacks.

Most recently, in September 2023, OFAC – together with the UK’s Foreign Commonwealth and Development Office (FCDO) – imposed sanctions on 11 members of the Conti and Trickbot ransomware groups who are believed to maintain links to Russian intelligence services.[9]

For US-based firms, or companies with business operations involving the US, the OFAC sanctions are a serious source of concern, as they criminalise ransom payments made to  listed cybercrime groups. In October 2020, OFAC published an advisory warning of the sanctions risk involved in facilitating ransomware payments, stating: “Companies that facilitate ransomware payments to cyber actors on behalf of victims not only encourage future ransomware payment demands but also may risk violating OFAC regulations”.[10]

According to a senior official of a major US-based financial institution, while there is a “very strong pressure” on the victims of ransomware attacks to notify the FBI, reporting is not a legal requirement at this point. There is also currently no federal prohibition on making ransomware payments.

Earlier, in November 2021, Congressman Patrick McHenry proposed the Ransomware and Financial Stability Act, which would have made it compulsory for certain entities to notify the Treasury Department before making a ransomware payment and prohibited ransomware payments in excess of USD 100,000 without law enforcement authorisation.[11] The bill, however, did not gather enough support in the US Congress and there do not appear to be any current plans for its revival.

Given the lack of other legal constraints on ransomware payments, it is primarily OFAC’s cybercrime-related sanctions that any US entity considering paying such a ransom needs to take into account.

The main problem of compliance with ransomware-related sanctions is that, as the US bank official put it, “there is no way to tell who you send the money to”. Criminal groups use anonymous crypto wallets and are generally incentivised to obfuscate their identities.

Moreover, organisations are often under time pressure in the event of a ransomware attack – given the impact of such incidents on business-critical infrastructure – making it even more challenging to establish the exact identity of the perpetrator. According to an analysis of ransomware payments tracked by Chainalysis since 2016, 15 percent made in 2020 carried a risk of sanctions violations.[12]

European Union’s nuanced approach

The EU has so far chosen a more nuanced approach to the ransomware threat, relying on a combination of sanctions against perpetrators, preventive measures and reporting obligations.

With respect to sanctions, the EU has been moving much more slowly than its American counterpart. It was only in May 2019 that the EU introduced a framework for cybercrime-related sanctions.

One of the main reasons for the introduction of the new sanctions regime was the 2018 hacking attempt by a Russian military intelligence (GRU) team on the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Hague. The attack was thwarted by the Netherlands Defence Intelligence and Security Service, but raised awareness of the potentially serious security threat posed by such incidents.

The EU’s cybercrime-related sanctions framework provides for bans on listed persons traveling to the EU and asset freezes. In addition, EU persons and entities may be forbidden from making funds available to listed individuals or organisations.[13][14]

In July 2020, the EU imposed sanctions on six natural persons and three entities in connection with their involvement in various cyber-attacks, including the attempted attack on the OPCW. In October 2020, the EU imposed additional sanctions on two individuals and one legal entity over a 2015 hacking incident that targeted the German Bundestag (parliament).[15]

However, since then, the EU has not imposed any further cybercrime-related sanctions. Its efforts on this front could therefore be described as relatively muted, in comparison to the aggressive approach taken by OFAC.

Conversely, the EU has been more active in terms of imposing preventative measures and reporting obligations on entities subject to ransomware attacks. Those obligations are regulated by the EU’s Directive on Security of Network and Information Systems (NIS) and the General Data Protection Regulation (GDPR).

The original NIS directive from 2016 (which is currently in force) required specific entities and sectors – mostly considered critical infrastructure – to take various cybersecurity risk management measures.

The new NIS2 directive, which is in the process of being transposed into local law across the EU and is expected to come into force later this year, significantly expands the sectors obliged under the act, including digital providers and manufacturers of critical goods.[16] Obliged entities will be required to submit an early warning to their national competent authority within 24 hours of an incident, followed by an incident notification within 72 hours.[17]

The EU’s GDPR, meanwhile, mandates organisations to report a personal data breach as a result of a cyberattack. They are required to report to the competent national authority without undue delay and, where feasible, not later than 72 hours after having become aware of an attack, unless the personal data breach is “unlikely to result in a risk to the rights and freedoms of data subjects”. In some cases, organisations must also notify individuals whose data was exposed without undue delay.[18]

Preparation is key

In order to avoid becoming a victim of a ransomware attack in the first place, it is important to be mindful of how a ransomware infection typically spreads.

According to a comprehensive survey published by Statista in November 2020, by far the most common delivery method/cybersecurity vulnerability causing ransomware infection are spam or phishing emails (54 percent). This category also encompasses poor user practices and lack of cyber security training. Other listed vulnerabilities are weak passwords and access management (21 percent) and open remote desktop protocol (RDP) access (20 percent).[19]

The EU Agency for Cybersecurity (ENISA) in September 2023 also warned that phishing was “the most popular attack type to gain access to an organisation”.[20] This is likely corelated with the advancement of AI-powered language models such as ChatGPT. With the help of this technology, threat actors can easily draft personalised emails and make them appear as though they have been sent from someone known to the victim.

This can increase the likelihood that the person on the receiving end will click on a malicious link or open an attachment. The ransomware infection can then almost instantly spread from that person’s computer to affect the entire company network.

According to Annette Farrenkopf, Information Security Officer at Berlin Risk, there are two key elements of effective information security. One is to properly and continuously train company staff. “Ideally, you need to train staff often in order for them to understand the way phishing emails and other threats develop over time,” she said.

The second key step, according to Farrenkopf, is to have an information security management system in place. “This is a risk-based system, where you look at your assets in relation to information security and then you think of the risks. If this asset is attacked, or doesn’t work anymore, you need to understand what this means for your overall information security and business continuity, and be able to quickly react,” she explained.

In other words, it is essential to have a plan in place that lays out the proper response in the event of a cyber-attack. The worst case scenario for organisations, according to Farrenkopf, is to have an information security incident and absolutely no internal protocol for containing the risks.

Although trainings and information management systems do require some investment, they might save organisations hundreds of thousands of dollars in lost business or ransomware payments – let alone the headache involved in potential violations of international sanctions or the EU’s GDPR and NIS rules.

Filip Brokes