By Christopher Scott D’Angelo
Many contractors and other businesses do not even think about it and if they do, they think it is something only the Fortune 500s of the world need worry about. This delusion is extremely dangerous and short-sighted. As the FBI, U.S. Secret Service and the Cybersecurity and Infrastructure Security Agency repeatedly warn, ransomware attacks have an impact upon all sectors, and many ransomware attacks also target small- and medium-sized businesses. According to the FBI’s 2018 and 2019 Internet Crime Reports, there was a 37 percent annual increase in reported ransomware cases and a 147 percent annual increase in associated losses from 2018 to 2019. Particularly targeted at present is the infrastructure and the expansion of construction projects occurring under the infrastructure programs of the federal government.
Ransomware is a form of malicious software – malware – designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from their targets in exchange for the key to decrypting the information and restoring the target’s access to their systems or data. The “cybercriminals” use stealth, phishing and creative schemes to introduce the malware into the target’s systems, taking advantage of gaps or weaknesses in the electronic systems or, in fact, ignorance, laziness or mere inattention of the targets. As the U.S. National Cyber Investigative Joint Task Force states, common infection mechanisms include:
Email phishing campaigns: The cybercriminal sends an email containing a malicious file or link, which deploys malware when clicked by a recipient. Cybercriminals historically have used generic, broad-based spamming strategies to deploy their malware, though recent ransomware campaigns have been more targeted and sophisticated. Criminals may also compromise a victim’s email account by using precursor malware, which enables the cybercriminal to use a victim’s email account to further spread the infection.
Remote Desktop Protocol (RDP) vulnerabilities: RDP is a proprietary network protocol that allows individuals to control the resources and data of a computer over the internet. Cybercriminals have used both brute-force methods, a technique using trial-and-error to obtain user credentials, and credentials purchased on dark web marketplaces to gain unauthorized RDP access to victim systems. Once they have RDP access, criminals can deploy a range of malware – including ransomware – to victim systems.
Software vulnerabilities: Cybercriminals can take advantage of security weaknesses in widely used software programs to gain control of victim systems and deploy ransomware.
In addition to the attack, the cybercriminals often threaten to publicly disclose victims’ sensitive files. The Cybercriminals then demand a ransomware payment, usually through digital currency, in exchange for the decryption key.
Contractors increasingly rely on electronic systems and the exchange of contracts, subcontracts, vendor communications, designs, drawings and specifications, and shared documents and data, but like many businesses, contractors often do not have a true IT or in-house network security staff, thus making them more susceptible than average to such ransomware cyberattacks. And even average is nowhere near good enough.
The economic and reputational damage caused by ransomware incidents, whether from the initial disruption or through the often-extended recovery, can be extensive. Not only will ransomware incidents severely impact the contractor’s operations, but by forcing it to shut down during the attack, the contractor cannot perform and becomes potentially subject to liability to the owner for the delays, missed benchmarks, additional supply costs, or other breach of contract.
DANGER OF RANSOMWARE
Victims of such ransomware cyberattacks often think they should – or have no choice but to – just pay the ransom. This is an understandable reaction, but it is fraught with serious dangers, and not merely dealing with despicable and dishonest actors who may or may not live up to freeing the captive system and data and may or may not slip a stealth sleeper file or backdoor for a later attack or the theft of data.
In fact, paying or facilitating ransomware payments may subject the victim and those assisting the victim to significant criminal or civil penalties. For example, as the Department of the Treasury notes, “ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden Cybercriminals to engage in future attacks.” Such activities may also be subject to restrictions and liability under the International Emergency Economic Powers Act or the Trading with the Enemy Act, Executive Orders, and Office of Foreign Assets Control Specially Designated Nationals and Blocked Persons List, among others.
PROTECTING YOUR BUSINESS
So, what should the contractor do? First, an ounce of prevention … here are some resources:
- Ransomware Guide: https://www.cisa.gov/stopransomware/ransomware-guide
- FBI Cyber Defense Best Practices: https://www.ic3.gov/media/y2019/psa191002
- Preparing for a Cyber Incident: https://www.secretservice.gov/investigation/Preparing-for-a-Cyber-Incident
- Preparing for a Cyber Incident: https://www.cisa.gov/sites/default/files/publications/Cyber%20Investigation%20Prep%20-%20General%20Audience%20%28Handout%29_0.pdf
- Ransomware Self-Assessment Tool: https://www.csbs.org/sites/default/files/2020-10/R-SAT_0.pdf
- I’ve Been Hit by Ransomware – Ransomware Response Checklist: https://www.cisa.gov/stopransomware/ive-been-hit-ransomware
- Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources (February 2020): https://www.justice.gov/criminal-ccips/page/file/1252341/download
- A Framework for OFAC Compliance Commitments: https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf
- Contact Information for Relevant U.S. Government Agencies:
- Federal Bureau of Investigation Cyber Task Force: https://www.ic3.gov/default.aspx; www.fbi.gov/contact-us/field
- U.S. Secret Service Cyber Fraud Task Force: www.secretservice.gov/investigation/#field
- Cybersecurity and Infrastructure Security Agency: https://us-cert.cisa.gov/forms/report
- Homeland Security Investigations Field Office: https://www.ice.gov/contact/hsi
Also, review your contracts, particularly the force majeure and limitations of liability clauses to be sure that they protect you in the event of delays, disruptions and other effects of a ransomware attack or other cyberattack not only on your company but also on those in your supply chain or other contractors or subcontractors with whom you work or who work on the project.
In addition, contractors and other businesses should investigate insurance options. The right insurance can help reduce concerns about ransomware attacks. The challenge is finding affordable coverage. According to Marsh, in 2021 cyber insurance pricing in the United States increased an average of 96 percent year-over-year. Insurers are also insisting on more staff and updated systems. In looking for insurance, the business should be looking for and considering coverage for business interruption, data recovery, security incident and breach coverage, and dependent business interruption relating to supply chain risks. The latter one can be an eye-opener, as Marsh notes that cybercriminals increasingly target technology suppliers, such as managed service providers, cloud providers, and vendors. Is there coverage if a company’s network or website is down because of an attack on a technology vendor? Companies should also look for insurers that provide support and service, such as proactive risk mitigation resources, breach response support to get businesses back up and running after an attack, and a stable of support providers (e.g., breach managers to oversee or coordinate the response).
- Marsh, Cyber Risk: https://www.marsh.com/us/services.html
- Marsh, Cyber Insurance Market Overview: Fourth Quarter 2021: https://www.marsh.com/us/services/cyber-risk/insights/cyber-insurance-market-overview-q4-2021.html#:~:text=Cyber%20insurance%20pricing%20in%20the,and%20the%20largest%20since%202015
- Cyber Insurance and Its Potential Role in Risk Management Programs: https://www.ffiec.gov/press/pdf/FFIEC%20Joint%20Statement%20Cyber%20Insurance%20FINAL.pdf
The cliché is “an ounce of prevention is worth a pound of cure.” Here, it is more, an ounce of prevention can save your assets. Act now.
About the Author:
Christopher Scott D’Angelo is a partner and chair of both the Business Disputes & Products Liability Practice and International Practice at Montgomery McCracken Walker & Rhoads LLP, based in Philadelphia and New York City. His practice involves business, products liability, construction, class action, and insurance counseling and litigation, including his role as national counsel for several major U.S. clients and his representation of foreign concerns in the United States and U.S. concerns abroad. He is a member of the Construction Law and Litigation Committee of the International Association of Defense Counsel. He can be reached at firstname.lastname@example.org.
Modern Contractor Solutions, May 2022
Did you enjoy this article?
Subscribe to the FREE Digital Edition of Modern Contractor Solutions magazine.