Month: April 2021

Since its initial appearance “in the wild” in 1989, ransomware has become what one analysis called “one of the most intractable — and common — (cybercrime) threats facing organizations across all industries and geographies.”  State actors and other cybercriminals behind ransomware attacks have made highly effective use of what Crowdstrike termed “increasingly damaging tactics, techniques and procedures”, even as various stakeholders have failed to adapt to and remain abreast of those tactics, techniques, and procedures.

U.S. and other law enforcement authorities have had isolated, through often significant, successes against ransomware.  For example, on January 27, 2021, eight countries collaborated in disrupting the infrastructure of the Emotet botnet, which cybercriminals frequently used to disseminate ransomware and other types of malware.  That same day, the U.S. Department of Justice announced that it had successfully disrupted NetWalker, a sophisticated form of ransomware-as-a-service, and charged a Canadian national in relation to NetWalker attacks.

Isolated successes, however, have failed to stem the problem.  There is certainly no lack of relevant expertise in the Department’s Computer Crime and Intellectual Property Section and United States Attorneys’ Offices across the country, as well as the FBI and the United States Secret Service, to investigate ransomware operations.  What the Department has lacked to date are a comprehensive anti-ransomware strategy and sufficient resources to combat the ransomware threat in accordance with that strategy.

That state of affairs may be changing.  On April 21, the Wall Street Journal reported that the Justice Department has formed a task force “to curtail the proliferation of ransomware cyberattacks.”  The task force’s basic approach is to target the “the entire digital ecosystem” that supports such attacks.

In an internal Department memorandum issued last week, Acting Deputy Attorney General John Carlin reportedly said that ransomware poses not just an economic threat to businesses but “jeopardizes the safety and health of Americans.”  The memorandum also indicated that the task force “will increase training and dedicate more resources to the issue, seek to improve intelligence sharing across the department, and work to identify ‘links between criminal actors and nation-states’.”

The principal issue for federal prosecutors and agents will not be identifying in broad terms which state actors and cybercriminals are behind specific ransomware attacks.  Law enforcement agencies and cybersecurity firms are already well aware of specific state actors and cybercriminal groups, such as the North Korean Lazarus Group and the Chinese organization APT 41, that have been successfully using ransomware.

There are two more critical questions for the Department in implementing its anti-ransomware strategy.  The first will be whether it can locate key ringleaders of the leading ransomware organizations, amass enough evidence to tie those ringleaders to specific cyberattacks, and secure their extradition to the United States.  If those ringleaders are based inside authoritarian regimes that have shown political hostility to the United States, the best that the Justice Department may be able to do in this Administration, as it did in the Trump Administration, is to obtain indictments that “name and shame” individual participants in a cybercrime organization within countries such as China and Russia, with no realistic hope of obtaining their extradition.  Ringleaders in third countries may be more reachable, although much will depend on timely cooperation by numerous governments to obtain the necessary evidence.

The second question will be whether the Department can persuade entities in both the private and public sectors – and not just corporate cybersecurity teams within those organizations – to take more stringent measures to safeguard their operations from ransomware attacks.  While chief information security officers and chief security officers recognize the magnitude of the threat that ransomware poses to their organizations, the increased incidence and prevalence of ransomware attacks indicate how far behind companies and government agencies are in responding to that threat.

As the principal federal agency responsible for consumer protection, the Federal Trade Commission has long relied on the use of equitable remedies, such as restitution for injured consumers and disgorgement of unjust enrichment, as part of its arsenal to combat fraudulent and deceptive practices.   In enforcing its “Do Not Call” Registry against telemarketing operations, for example, the FTC’s resolutions of enforcement actions resulted in $112 million in restitution or disgorgement – nearly two-thirds as much as the more than $178 million that the FTC recovered in civil penalties.

On April 22, the U.S. Supreme Court, in AMG Capital Management LLC v. Federal Trade Commission, unanimously held that section 13(b) of the Federal Trade Commission (FTC) Act, which authorizes the FTC to seek permanent injunctions, does not authorize the FTC to seek, or a court to award, equitable monetary relief such as restitution or disgorgement.  Justice Breyer, writing for the Court, stated that while “the Commission presently uses §13(b) to win equitable monetary relief directly in court with great frequency,” the language of section 13(b) contained no language explicitly authorizing the Commission to obtain such relief directly from courts.

Justice Breyer took note of sections 5(l) and 19 of the Act, which gives federal district courts explicit authority to impose limited monetary penalties and to award monetary relief in cases where the Commission has engaged in administrative proceedings (i.e., issued cease and desist orders).  He contrasted those sections with section 13(b), which lacked such explicit authorizing language.  He noted that Congress “likely did not intend for §13(b)’s more cabined ‘permanent injunction’ language to have similarly broad scope.”

In his conclusion, Justice Breyer observed that nothing that the Court’s opinion said

“prohibits the Commission from using its authority under §5 and §19 to obtain restitution on behalf of consumers. If the Commission believes that authority too cumbersome or otherwise inadequate, it is, of course, free to ask Congress to grant it further remedial authority.  Indeed, the Commission has recently [in 2020] asked Congress for that very authority, . . . and Congress has considered at least one bill that would do so . . . .”

The Court’s decision undoubtedly came as a blow to the FTC.  Even so, there is reason to expect that Congress will respond to the decision by amending the FTC Act to provide specific textual language to authorize restitution and disgorgement.  The FTC’s use of restitution is popular with the general public, and the Biden Administration is certain to support such remedial language to reinforce the FTC’s consumer protection authority.

Since 2019, a growing number of countries have set their sights on reining in the allegedly anticompetitive practices of Big Tech companies.  The United States has been conducting investigations and filing suit against multiple leading technology companies, the European Union and the United Kingdom announced proposed legislation to open such companies up to greater competition, and China sanctioned Chinese technology companies Alibaba, Tencent, ByteDance, Baidu, and Didi for anti-monopoly violations.

The latest country to enter the lists against Big Tech is Russia.  Within the past week, the Russian Federal Antimonopoly Service announced that it was taking action against two major technology companies for alleged competition law violations.

First, on April 13, the FAS announced that it had initiated a case against the Russian technology company Yandex for allegedly discriminatory conditions in the web search market.  The FAS stated that in February 2021, it had warned Yandex “to ensure equal conditions for the demonstration of the services on the pages of search engines, including market participants and competitors of the Yandex group,” and set a deadline of April 1.  Although Yandex reportedly requested additional time in April to respond to the accusations, the FAS chose not to grant that time.

The FAS said that as part of its consideration of the case, it would “investigate possible anticompetitive practices for promoting the services of the Yandex group in search results, as well as assess the consequences that such practices have led to (could lead to).”   it would investigate possible anti-competitive practices by Yandex and assess the consequences of those practices. It also noted that Yandex could be subject to a turnover-based fine if the FAS finds evidence that the company was restricting competition.

Second, on April 19, the FAS announced that it had initiated a case against Google for allegedly abusing of its dominant market position in YouTube video hosting services.  The FAS stated that the basis for its investigation was a complaint by the Regional Public Organization “Center for Internet Technologies” (ROCIT) about “Google’s actions of sudden blocking, deleting user accounts and content on the YouTube video hosting.”  It also said that it

has established that the rules related to the formation, suspension, blocking of accounts and the circulation of user content on YouTube are non-transparent, non-objective and unpredictable. This leads to sudden blocking and deletion of user accounts without warning and justification of actions. The FAS Russia believes that such behavior may lead to infringement of the interests of users, as well as to restriction of competition in related markets.

It also stated that as part of its consideration of the case, it “will assess the actions of Google LLC and consequences for users and content creators.”

Antitrust and competition compliance teams at technology companies doing business in Russia should regard the FAS actions with concern.  These proceedings should be viewed against the backdrop of last month’s actions by Russian authorities against Facebook, Google, Telegram, TikTok, and Twitter, for failing to delete posts urging children to take part in allegedly illegal protests of the imprisonment of Russian anti-corruption activist Alexei Navalny.

The fines against several of the companies in the March proceedings would be miniscule.  Nonetheless, there should be no doubt that the interests of Russian President Vladimir Putin and the Russian government extend well beyond promoting fair competition by technology companies.  A government committed to the speedy imprisonment of Navalny and mass arrests of protestors supporting Navalny can be counted on to exert systematic pressure on technology companies to bend to the government’s will, including suppression of free speech and criticism that those companies facilitate.

In a February 2021 meeting with U.S. Secretary of State Antony Blinken, Russian Foreign Affairs Minister Sergei Lavrov publicly insisted on “the need to respect (Russia’s) legislation and judicial system.”  Technology companies should expect that the Russian government will seek to compel that respect from them in matters extending well beyond competition law.

Singapore has long prided itself on its status as a leading financial, business, and trade center in Asia, in part because of the ease of doing business there.  One element of Singapore’s business environment that many legitimate businesses have found attractive is the use of shell companies.  Because shell companies are often used to conceal criminal transactions and activities, however, the Monetary Authority of Singapore and the Singapore Police Force (SPF) have been increasingly attentive to the use of shell companies for money laundering.

On April 8, the SPF announced that five individuals have been charged in Singapore “for their involvement in seven shell companies which were suspected to be used, or intended to be used, to launder monies obtained from criminal conduct.”  Between 2016 and 2019, the SPF’s Commercial Affairs Department received eight police reports from victims who alleged that they had been deceived into wiring a total of more than USD $1.67 million into the corporate bank accounts of six Singapore-registered shell companies.  In a seventh case, an attempted transfer of more than HKD $3.2 million (USD $417.000) to a seventh Singapore-registered shell company failed because the shell company’s bank account was closed.

The SPF investigations of these allegations found that a director of DM Advisory Pte Ltd, a company that provided corporate secretarial services, had assisted and taken instructions from a person known only as “George Clarke”, who was believed to be engaged in criminal conduct, to incorporate shell companies in Singapore for the purpose of setting up corporate bank accounts.  That director then allegedly engaged a second individual, who was working as a bank officer at the time, to recruit local nominee directors — including three other individuals — to incorporate the shell companies mentioned above and set up the associated bank accounts. Thereafter, control over the corporate bank accounts were believed to be handed over to “George Clarke” via the bank officer and one of the nominee directors.

In March and April 2021, the DM Advisory director, the bank officer, and three of the recruited local nominee directors were charged with various offenses related to money laundering and fraud.  The DM Advisory director was charged with entering into an arrangement to assist “George Clarke” to retain benefits from criminal conduct under Section 44(1)(a) of the Singapore Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act, Chapter 65A (“CDSA”).

Under Section 44(1)(a) of the CDSA, “a person who enters into or is otherwise concerned in an arrangement, knowing or having reasonable grounds to believe that, by the arrangement[,] the retention or control by or on behalf of . . . that other person’s benefits of criminal conduct is facilitated”, and “knowing or having reasonable grounds to believe that that other person is a person who engages in or has engaged in criminal conduct or has benefited from criminal conduct”, may be punished by a maximum of 10 years’ imprisonment, a fine not exceeding SGD $500,000 (USD $374,000,) or both.

The bank officer and one of the nominee directors were charged in court with entering into an arrangement to assist “George Clarke” to retain benefits from criminal conduct under Section 44(1)(a) of the CDSA.  The bank director was also charged with abetting two of the nominee directors to fail to act honestly and exercise reasonable diligence as company directors under Section 157(1) of the Singapore Companies Act, Chapter 50 (“CA”), read with Section 109 of the Penal Code, Chapter 224.  Finally, all three nominee directors were charged with failing to act honestly and exercise reasonable diligence as company directors under Section 157(1) of the CA.

Under Section 157(1) of the CA, a director who fails to act honestly and use reasonable diligence in the discharge of the duties of his office may be punished by a maximum of 12 months’ imprisonment, a fine of SGD $5,000 (USD $3,700), or both.

It is too much to hope that the elusive “George Clarke” will be found and brought to justice.  In any event, these prosecutions should remind companies doing business in Singapore of the need to conduct risk-based due diligence if, any point in the course of a planned transaction or payment, they find that the transaction involves a Singapore-registered shell company.