There are two main types of sanctions:
UNSC sanctions are not possible to implement in respect of the Russia/Ukraine war, given Russia’s veto power as one of the five permanent members of the UNSC. This means countries are imposing autonomous sanctions regimes, posing challenges including a noticeable lack of coordination and cooperation among countries (in the absence of an obvious forum to discuss sanctions regimes).
At a high-level, the range of sanctions currently being applied include financial sanctions (such as freezing assets), trade and investment sanctions (focusing on sectors critical to the Russian economy), taxes on Russian goods, and flight and travel bans.
As the situation unfolds, organisations need to:
In a recent webinar on sanctions and cyber risk run by Clyde & Co, Bill Siegel the CEO of Coveware (an organisation who help businesses recover from cyber extortion events, such a ransomware) outlined what his organisation had been seeing in respect to ransomware incidents since the crisis began to unfold.
The war is reshaping ransomware attacks more generally. In the latter half of 2021, ransomware as a service (RaaS) groups proliferated. RaaS is a business model whereby ‘affiliates’ pay a central operator to use their code and ‘brand’ to launch ransomware attacks. It was beneficial for affiliates to be part of these established and well-known RaaS groups because they would leverage their reputation of trustworthiness to get deliverables.
However, increasing sanctions arising from the war have rendered this an unviable business model. Cybercriminals do not want to be affiliated with RaaS groups that may be linked to sanctions, as ultimately, their ransom demands will not be paid.
Further, the war and law enforcement scrutiny has caused a proliferation of ransomware ‘variants’ (types of ransomware). Prior to the war, approximately ten ransomware variants made up more than half of all ransomware attacks. Now, there is double the amount of ransomware variants – and new and previously inactive ransomware variants are also emerging.
It is important to undertake appropriate and rigorous due diligence when paying a ransom, even more so now given the increasing complexity surrounding:
Based on Clyde & Co’s data, there is currently no indication that Australian entities supporting Ukraine have become a target for ransomware attacks. Indeed, the number of incidents is stable, and the communication from cybercriminals hasn’t shifted from financial to geo-politically motivated.
Clyde & Co data on ransomware incidents across 2021 and 2022 points to routine fluctuation in activity and inactivity throughout the year, typically due to arrests and splintering of threat actor groups, as well as seasonality (lower numbers of incidents during the Northern Hemisphere holiday periods).
While the last couple of months’ worth of ransomware incident numbers is within the bounds of normal variation, organisations needed to be alert to:
As a result, it is crucial that organisations have a predetermined position on ransom payments, processes for responding to attacks, and the right infrastructure supports in place to ensure that the impact is neutralised (such as backups).
Although ransomware incidents receive a lot of media attention, there is another incident type that organisations need to know about, and prepare for – state-supported cybercriminal activity. The key features of state actor incidents include:
While a commonly held view is ‘a state actor wouldn’t be interested in my organisation given my size and profile’, organisations should take stock and think more broadly about the supply chains they belong to. Suppliers and advisors provided with access to third-party’s data or network systems can also become the indirect targets of state actors (for example, accountants, trade bodies, lawyers and consultants).
Should an organisation be subject to a cyber incident, organisations need to be careful not to make misleading or false attributions to particular state actors when publishing communications on an incident, or when completing obligation notifications. Such announcements might incite further harm from state actor.
Finally, in order to prepare for this type of threat, organisations should take a look at their incident response plan, and consider putting together a tailored playbook to cater to the unpredictable nature of a state actor attack.
Clyde & Co has the largest dedicated cyber incident response and privacy advisory practice in Australia and New Zealand and has more 5-Star Cyber Lawyers than any other firm. Our experienced team has dealt with thousands of data breach and technology-related disputes in recent times, privacy reviews, assessments and solutions advices, including a number of the largest and most complex incidents in Asia-Pacific to date.
From pre-incident readiness reviews, solutions and advice, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients globally across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in financial services information technology prudential requirements and managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
Our 24-hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:
Australia: +61 2 9210 4464
New Zealand: +64 800 527 508