Stark: How to manage the ransomware crime wave

April 10, 2019Duke Law News

John Reed StarkSenior Lecturing Fellow John Reed Stark '89 offered recommendations for improving legal defenses against and penalties for malicious “ransomware” attacks in an essay published on Jan. 28 in Law 360 and D&O Diary.

While attacks come in many forms, Stark explains, in each case they infect a computer and restrict users’ access to certain data, systems, and files, until a ransom is paid. Stark, former chief of the Securities and Exchange Commission’s Office of Internet Enforcement and now president of John Reed Stark Consulting LLC, cites predictions that by the end of the year, worldwide, a company will be hit by a ransomware attack every 14 seconds and result in financial damages of $11 billion in terms of recovery costs after the inevitable shutdown and ransoms paid.

And most corporate victims of ransomware attacks pay the ransoms demanded, increasingly in cryptocurrencies like bitcoin that are fast, reliable, verifiable, subject to little regulation, and virtually untraceable. They pay, he writes, because of the “mammoth” impacts of the attacks: “Typically, all file servers and workstations are renamed with virus-like extensions. Email servers and website servers become inoperable. Operations cease – no ability to track accounts receivable, issue invoices, and pay bills and employees. … Amid the bedlam, the damage due to a ransomware shutdown raises costs exponentially, not to mention the dire business development and reputational ramifications.”

Detailing why U.S. law enforcement agencies have experienced scant success in identifying and prosecuting perpetrators of ransomware attacks, Stark recommends a series of improvements: “Clearly, any governmental intervention should begin at the ‘front end,’ to deprive cybercriminals of access to financial channels, and financial penalties and end at the ‘back end,’ particularly asset forfeiture, to recover the proceeds of criminal activity.” Additional steps could include providing financial incentives for private investment in ransomware prevention and remediation technologies; bringing more criminal and regulatory enforcement actions and creating new legal penalties for attacks; discouraging payments that monetize crime; and adding more ransomware attackers to terrorist lists.

But, Stark writes, “the reality is that when it comes to ransomware attacks, the government seems unfortunately idle and relatively powerless, which means ransomware victims are often on their own.” He advises companies to manage their risk through preparation — deploying effective and tested offsite backup and disaster-recovery plans — using professionals to implement preemptive measures and help handle the response, and being continually vigilant against attacks.

He concludes: “The only guarantees during a ransomware attack are the feelings of fear, uncertainty, vulnerability and dread inevitably experienced by the corporate victim. Someone needs to stop the madness — or in the least, start talking about it. Right now, the silence is deafening.”