Last week seven Russian individuals linked to the Conti ransomware gang were sanctioned by the UK and the US. Whilst the US has sanctioned individuals and companies involved in ransomware before, this is the first time that the UK has done so. Sanctioning the gang means that paying ransomware demands gets all the more difficult.
Why has this been done?
Ransomware remains a clear cause for concern with criminal gangs and state sponsored actors threatening critical national infrastructure providers and other organisations. The ransomware threat still seems to be rising – according to figures from BlackFog January 2023 was the busiest January on record for ransomware attacks. Last month’s attacks included the ransomware attack on Royal Mail when printers in Royal Mail’s offices were reportedly used by the LockBit gang to deliver ransomware demands. Some Royal Mail services are still affected over a month later.
The sanctions have been announced as part of a joint UK/US crackdown on ransomware. Seven Russian individuals have been sanctioned after the UK’s National Crime Agency (NCA) investigated 149 British victims of Conti and Ryuk ransomware. The sanctions have been imposed by both the Foreign, Commonwealth & Development Office (FCDO) in the UK & the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).
The NCA believes that the group in question was responsible for extorting at least £27 million from 149 UK victims, including hospitals, schools, businesses and local authorities, although the FCDO has said that the true impact of these crimes is likely to be much higher. Given the under-reporting of ransomware this is highly likely.
The seven individuals are now subject to travel bans and asset freezes and are restricted in their use of the global financial system.
Who are the 7?
The sanctioned 7 are:
- Vitaliy Kovalev
- Valery Sedletski
- Valentin Karyagin
- Maksim Mikhailov
- Dmitry Pleshevskiy
- Mikhail Iskritskiy
- Ivan Vakhromeyev
What about US criminal proceedings?
An indictment was also unsealed last week in the US District Court for the District of New Jersey charging one of the individuals, Kovalev, with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into bank accounts held at various US-based financial institutions that occurred in 2009 and 2010. The alleged offences pre-date the Conti group. It is important to note, as the US authorities have done that the charges and allegations contained in the indictment are simply accusations at this stage and Kovalev is presumed innocent unless and until proved guilty.
What about the Ukraine war?
The UK Government maintains that members of the Conti group have direct links to the Russian Intelligence Services from whom they have likely received tasking. We’ve talked in more detail about the effects of the Ukraine invasion on ransomware and the role of Conti affiliates here https://www.corderycompliance.com/ca-ucw-whoswinning/.
Despite this action by the UK & US ransomware is not likely to go away any time soon. Whilst the Conti gang may have become less active ransomware gangs are often loose associations rather than formal defined organisations. It is likely that the same players are still active and ransomware attacks are also likely still being directed and supported by foreign governments.
Amongst the steps organisations could consider are:
- Making sure that you have a plan to deal with ransomware. We had helped a number of organisations create a ransomware playbook so that they can work through key considerations in advance rather than in the heat of battle. Increasing the sanctions regime makes paying ransoms more risky. We’ve looked at some of the issues in an earlier note here https://www.corderycompliance.com/ransomware-pay-or-not/. Remember most ransomware will be reportable in 72 hours under GDPR even if data is not exfiltrated (and it will almost certainly be reportable if personal data is taken).
- Training and awareness. As we have said before, make sure that you are raising awareness of the heightened current risk with your employees and sub-contractors.
- Make sure that your cyber-security stance recognises the heightened risk. Patching software remains vitally important. You might want to implement a four-eyes system to make sure that somebody is independently verifying the fact that patches have been done.
- Look at the technical and organisational measures you adopt – that is likely to include multi-factor authentication (MFA) securing any internet facing systems, running detection systems to look out for attacks both at the perimeter and within your systems, ensuring that you have a good back up strategy and ensuring the availability of audit functionality so that you can revisit your systems if there is a suspicion of an attack.
- Rehearse – breaches are inevitable so preparation is a wise investment. This might include having good lawyers on standby since we know that the initial hours after a breach are crucial in successfully defending claims. This is also likely to include rehearsing a breach for example with a Cordery Data Breach Academy (see https://www.corderycompliance.com/cordery-data-breach-academy-2-2/). You might also want to consider how you’d work with agencies like the NCA to get the benefit of their resources and knowledge when an attack happens.
- Looking in detail at contracts with vendors and other third parties. You will need to look carefully at emphasising your processors’ obligations to let you know immediately if they suspect a possible breach. In our view audit rights are also important – too often organisations are vague about cause and effect and it can take the exercise of audit rights to get proper information.
- Remember that you’re unlikely to be able to insure this risk away – insurers are tightening up on coverage where ransomware is involved, especially where it is state sponsored. There’s more on the changes which come into effect next month here https://www.corderycompliance.com/lloyds-cyber-insurance1/.
- You might also want to consider cyber-security accreditation to look holistically at your employees, systems and procedures. As we said before in our alert about the Tuckers ransomware attack however (here https://www.corderycompliance.com/law-firm-gdpr-breach-fine/) if you do go down this road, be prepared for any recommendations that are made. It is increasingly more difficult to bury bad news.
- Consider how you do due diligence – we’ve written before about the difficulties with the sanctions regime with Russian nationals given the fact that names can appear differently in Russia and the fact that criminals can use false names. Kovalev for example is also known as “Bentley,” “Bergen,” and “Alex Konor” so any due diligence exercise is likely to be limited. Despite the limitations you’ll still want to make sure you don’t have any dealings with the sanctioned 7.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
The UK Government announcement is here https://www.gov.uk/government/news/uk-cracks-down-on-ransomware-actors. The BlackFog report is here https://www.blackfog.com/the-state-of-ransomware-in-2023/. News on the Royal Mail attack is here https://www.royalmail.com/international-incident-bulletin. There are details of the US criminal proceedings here https://www.justice.gov/usao-nj/pr/russian-national-charged-bank-fraud-related-hacking-campaign.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|