I am being facetious, of course, but as with many cyberattack tactics, ransomware has become more complex and multi-faceted. Encrypting corporate files is no longer enough for ransomware thieves. No, ransomware criminals now steal data first to put even more pressure on an organization to pay the ransom. This double-whammy is placing corporations in a squeeze: pay the ransom and protect any personal data caught up in the attack, or pay a data protection non-compliance fine, which in the case of GDPR can be up to 4% of global revenue or 20 million euros (whichever is higher).
A double-edged sword of ransomware pain
Ransomware has always been a pain. Ransomware attacks such as WannaCry caused serious disruption to business continuity and services, causing massive operational problems and costing enormous amounts of money. Three years after the WannaCry attack, the UK’s National Health Service (NHS) has evaluated the attack’s impact as having cost around £92 million ($116 million) and causing 19,000 appointments to be canceled. But now, ransomware is a double-edged and painful sword. The recent Colonial Pipeline ransomware attack began with the attackers stealing 100 gigabytes of data the day before the ransomware infection shut down the Colonial infrastructure, causing chaos for millions of customers. Colonial has since admitted to sending out breach notification letters to 5,810 individuals, mostly current or former employees: the stolen data contained personal information including name, address, date of birth, social security number, and health insurance information. In other words, the type of personal data that is protected in law by regulations such as GDPR and CCPA. Colonial paid around $4.4 million in ransom, with some of the money recovered. However, the company may still have been in breach of various data protection laws. This catch-22 situation that companies find themselves in begs the question, is the double-whammy of ransomware placing the company at threat of secondary extortion, this time from the regulators?
Between a rock and a fine
The problem of ransomware-initiated personal data exposure and regulatory fines is likely to be a trend in the coming years. The act of ransomware double extortion is gaining popularity amongst the cybercriminal community. In 2020, 40% of ransomware families were designed to steal data before encrypting it. Once that data is exfiltrated, it is in the hands of cybercriminals. Therefore, methods of ransomware protection that suggest back-up of data to ensure business continuity, only go so far in mitigating the impact of a modern ransomware infection. The problem is that ransomware actors are not the most trustworthy of humans. Even if a company pays the ransom, they cannot guarantee that the personal data will stay safe. It’s like putting a child in a room with their favorite sweets and saying, “do not eat.” Most kids will eat the sweets in a game theory-esque pay-off vs. constraints scenario. Cybercriminals are cunning: the fact that regulations such as GDPR are enforced and carry heavy fines is not lost on them. Along with the fear of data exposure and the embarrassment and loss of custom, cybercriminals also use the fear of non-compliance fines to extract a ransom. This was the case in the Uber cyber-attack of 2019. The company paid cybercriminals $100,000 to keep quiet about the breach to stave off the regulators. This strategy backfired on Uber with a series of knock-on effects, including the then chief security officer Joe Sullivan, being charged with concealing the attack. This tripartite of players are interwoven in a complex game of pay-off vs. constraints; the question is, can the good guys in this scenario, aka the regulators and the victim organization, work together to thwart the activities of the ransomware cybercriminals?
Cooperation can win out in a game of ransomware
The likelihood is that this tactic of double-extortion is here to stay because it is effective — it results in a greater pay-off. It is, in evolutionary terms, a stable strategy. But paying the ransom will not guarantee that a company will be protected against regulatory fines. Cybercriminals renege on promises. The Sophos State of Ransomware 2021 report found that 92% of companies who paid the ransom did not get all their data back. Any additional pressure on a company to pay the ransom, such as being worried about large regulatory fines, will play into the cybercriminals’ plan but may well not prevent personal data exposure. The data protection regulator’s mantra upholds an individual’s privacy by preventing data exposure. If a company goes outside those constraints, they are fined. Cybercriminals are using this to put even further pressure on a victim organization to pay up. Regulators need to be part of a cooperation strategy to reduce ransomware threats. One way to do this is for regulators to cooperate with organizations when a ransomware attack happens. Instead of a company hiding an attack, if they tell the regulators in good time, this should be a consideration when any non-compliance decisions are made. Further, some countries are now making payment of a ransom illegal. In 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published an advisory stating that ransomware payments may place an organization in breach of OFAC regulations. Ultimately, a victim organization must work to prevent a ransomware attack from happening. A proactive security posture that prevents cyberattacks is the baseline for ransomware prevention. Infosec works with the U.S. government to provide resources and tools to an organization to help fight the ransomware threat.
Sources
The landscape of cyber security in the NHS – and how this has changed since the WannaCry attack in 2017 , NS Healthcare Colonial Pipeline says ransomware attack also led to personal information being stolen, CNN Business Nearly 40% of new ransomware families use both data encryption and data theft in attacks, Help Net Security Regulators to press Uber after it admits covering up data breach, Reuters Former Uber Security Chief Charged With Concealing Hack, New York Times The State of Ransomware 2021, Sophos Infosec Collaborates with U.S. Government to Provide Free Tools to Help Organizations Fight Ransomware Attacks, Infosec U.S. Department of the Treasury’s Office of Foreign Assets Control Advisory, Treasury.gov