Pay GDPR? No thanks, we’d rather pay cybercriminals
Once upon a time, ransomware was a simple cybercrime. You knew where you stood; the data was encrypted, and you either paid the ransom or not. Yes, life was simple back then.
I am being facetious, of course, but as with many cyberattack tactics, ransomware has become more complex and multi-faceted. Encrypting corporate files is no longer enough for ransomware thieves. No, ransomware criminals now steal data first to put even more pressure on an organization to pay the ransom.
This double-whammy is placing corporations in a squeeze: pay the ransom and protect any personal data caught up in the attack, or pay a data protection non-compliance fine, which in the case of GDPR can be up to 4% of global revenue or 20 million euros (whichever is higher).
What should you learn next?
A double-edged sword of ransomware pain
Ransomware has always been a pain. Ransomware attacks such as WannaCry caused serious disruption to business continuity and services, causing massive operational problems and costing enormous amounts of money. Three years after the WannaCry attack, the UK's National Health Service (NHS) has evaluated the attack's impact as having cost around £92 million ($116 million) and causing 19,000 appointments to be canceled.
But now, ransomware is a double-edged and painful sword. The recent Colonial Pipeline ransomware attack began with the attackers stealing 100 gigabytes of data the day before the ransomware infection shut down the Colonial infrastructure, causing chaos for millions of customers. Colonial has since admitted to sending out breach notification letters to 5,810 individuals, mostly current or former employees: the stolen data contained personal information including name, address, date of birth, social security number, and health insurance information. In other words, the type of personal data that is protected in law by regulations such as GDPR and CCPA.
Colonial paid around $4.4 million in ransom, with some of the money recovered. However, the company may still have been in breach of various data protection laws. This catch-22 situation that companies find themselves in begs the question, is the double-whammy of ransomware placing the company at threat of secondary extortion, this time from the regulators?
Between a rock and a fine
The problem of ransomware-initiated personal data exposure and regulatory fines is likely to be a trend in the coming years. The act of ransomware double extortion is gaining popularity amongst the cybercriminal community. In 2020, 40% of ransomware families were designed to steal data before encrypting it. Once that data is exfiltrated, it is in the hands of cybercriminals. Therefore, methods of ransomware protection that suggest back-up of data to ensure business continuity, only go so far in mitigating the impact of a modern ransomware infection.
The problem is that ransomware actors are not the most trustworthy of humans. Even if a company pays the ransom, they cannot guarantee that the personal data will stay safe. It's like putting a child in a room with their favorite sweets and saying, "do not eat." Most kids will eat the sweets in a game theory-esque pay-off vs. constraints scenario.
Cybercriminals are cunning: the fact that regulations such as GDPR are enforced and carry heavy fines is not lost on them. Along with the fear of data exposure and the embarrassment and loss of custom, cybercriminals also use the fear of non-compliance fines to extract a ransom.
This was the case in the Uber cyber-attack of 2019. The company paid cybercriminals $100,000 to keep quiet about the breach to stave off the regulators. This strategy backfired on Uber with a series of knock-on effects, including the then chief security officer Joe Sullivan, being charged with concealing the attack.
This tripartite of players are interwoven in a complex game of pay-off vs. constraints; the question is, can the good guys in this scenario, aka the regulators and the victim organization, work together to thwart the activities of the ransomware cybercriminals?
Cooperation can win out in a game of ransomware
The likelihood is that this tactic of double-extortion is here to stay because it is effective — it results in a greater pay-off. It is, in evolutionary terms, a stable strategy. But paying the ransom will not guarantee that a company will be protected against regulatory fines. Cybercriminals renege on promises. The Sophos State of Ransomware 2021 report found that 92% of companies who paid the ransom did not get all their data back.
Any additional pressure on a company to pay the ransom, such as being worried about large regulatory fines, will play into the cybercriminals' plan but may well not prevent personal data exposure.
The data protection regulator's mantra upholds an individual's privacy by preventing data exposure. If a company goes outside those constraints, they are fined. Cybercriminals are using this to put even further pressure on a victim organization to pay up. Regulators need to be part of a cooperation strategy to reduce ransomware threats.
One way to do this is for regulators to cooperate with organizations when a ransomware attack happens. Instead of a company hiding an attack, if they tell the regulators in good time, this should be a consideration when any non-compliance decisions are made. Further, some countries are now making payment of a ransom illegal. In 2020, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) published an advisory stating that ransomware payments may place an organization in breach of OFAC regulations.
Ultimately, a victim organization must work to prevent a ransomware attack from happening. A proactive security posture that prevents cyberattacks is the baseline for ransomware prevention.
Infosec works with the U.S. government to provide resources and tools to an organization to help fight the ransomware threat.
Sources
- The landscape of cyber security in the NHS – and how this has changed since the WannaCry attack in 2017 , NS Healthcare
- Colonial Pipeline says ransomware attack also led to personal information being stolen, CNN Business
- Nearly 40% of new ransomware families use both data encryption and data theft in attacks, Help Net Security
- Regulators to press Uber after it admits covering up data breach, Reuters
- Former Uber Security Chief Charged With Concealing Hack, New York Times
- The State of Ransomware 2021, Sophos
- Infosec Collaborates with U.S. Government to Provide Free Tools to Help Organizations Fight Ransomware Attacks, Infosec
- U.S. Department of the Treasury’s Office of Foreign Assets Control Advisory, Treasury.gov
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
- Top 8 Microsoft Teams security issues
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security