Ransomware takes horrific pivot to data leakage
And you thought ransomware was only about losing your files when a bad guy encrypted them? Think again: Now the perps are copying your data and threatening to leak it if you donāt pay.
Hello, GDPR, CCPA, et al. Indeed, some authorities have it that any ransomware infection is a reportable event.
So much for ādonāt pay the ransom.ā In this weekās Security Blogwatch, we try to think about something else.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:Ā cyriak.
[ GDPR, CCPA and privacy. TechBeacon'sĀ new guide rounds up what your team needs to know. Plus: Get the Best Practices for GDPR and CCPA Compliance white paper. ]
Ransomware = breach
Whatās the craic?Ā Lawrence Abrams reportsāRansomware attacks are now data breaches:
A new tactic by ransomware developers is to release a victim's data if they do not pay the ransom. While we have seen these threats in the past, only recently have ransomware operatorsāā¦āactually followed through.
ā¦
While it has been a well-known secret that ransomware actors snoop through victim's data, and in many cases steal it before the data is encrypted, they never actually carried out their threats of releasing it. ā¦ Even though this should be considered a data breach, many ransomware victims simply swept it under the rug in the hopes that nobody would ever find out.
ā¦
Now that ransomware operators are releasing victim's data, this will need to change. ā¦ Companies will have to treat these attacks like data breaches.
Climb aboardĀ the Brian Krebs cycleāRansomware Gangs Now Outing Victim Businesses That Donāt Pay Up:
As if the scourge of ransomware wasnāt bad enough already. ā¦ As shocking as this new development may be to some, itās not like the bad guys havenāt warned us.
ā¦
This is especially ghastly news for companies that may already face steepāā¦āpenalties for failing toāā¦āsafeguard their customersā data. For example, healthcare providers are required to report ransomware incidents to the U.S. Department of Health and Human Services.
Yikes.Ā sparrish has the tl;dr:
Before, if you didn't pay, you didn't get your data back. Now, you don't pay, they expose all your data to the world. For some companies, that will be a significantly more compelling reason to pay the ransom.
Wait. Pause.Ā All this makes Microsoftās latest advice ring hollow. Ola Peters asksāto pay or not to pay?:
We regularly get asked by customers about āpaying the ransomā following a ransomware attack. ā¦ The unfortunate truth about most organizations is that they are often only left with the only option of paying the ransom.
ā¦
We never encourage a ransomware victim to pay any form of ransom demand. Paying a ransom is often expensive, dangerousāā¦āonly refuels the attackers [and] equates to a proverbial pat on the back for the attackers.
To whichĀ Luthair replies with a resounding āmehā:
I don't hate Microsoft, but why would anyone care what they think? This is the equivalent of Ford stating that they don't encourage bank tellers to hand over money in the event of a robbery.
Arguably, a ransomware infectionĀ could already be seen as a breach, under GDPR. Or so says Pointless_noise:
PII unrecoverable from a ransomware attack is already a data breach under article 4 paragraph 12. Also it could be argued that the encryption of data by a malicious 3rd party could be unlawful "alteration" therefore again a data breach.
ā¦
My point being if your company is not treating ransomware encrypting PII as a data breach it probably should be.
AndĀ buboard agrees, sliding into told-you-so territory:
Some of us mentioned that this would happen once GDPR came out. Not disclosing breaches is now a punishable offense, and this becomes a weapon in the hands of malicious hackers.
ā¦
There is a case to be made for making it unprofitable for hackers to run such operations. The law here does the opposite by making it more lucrative.
SoĀ JFT explains the underlying problem:
The problem here [is] the apathy from companies who are breached. We donāt do enough to train people who work with networked computers how to handle them. ā¦ But couple that with a lack of spending by companies on basic security, and you have a situation that is ripe for exploitation.
ā¦
The problem is countries like Russia, North Korea, Iran, etc. are funding these criminals. ā¦ China is the most adept at this.
ā¦
Donāt be fooled, this is the next Cold War. The only difference is information security, rather than nukes is going to be the solution. And we can end it just like the US ended the Cold War: starving the enemy by making it overwhelmingly costly and difficult to attempt data breaches.
In a less tinfoil-hatty vein,Ā hereās alvinrod:
We've got all kinds of alphabet agencies and other miscellaneous government spooksāā¦āso why not just let them take the gloves off and sort things out. From a marketing perspective I don't think it's too hard to spin the attacks against hospitals, etc. [to get] about half of the country behind it.
ā¦
Once a few bodies pile up I think that people will start to get the message. It won't stop the state actors targeting the state or military, but that's a separate ball game anyway.
ā¦
[And] I think people would generally be on board with our own government agencies using U.S. companies and utilities for practice to help find and patch vulnerabilities. Normally the laws prevent well-meaning individuals from doing those thingsāā¦ābut if the government does it there's a lot less protest, particularly since they're probably already spying on most of the country anyway.
Meanwhile,Ā hereās tomp:
Looks like they're doing our job. First, the message was "backup your data." Now, they also added "encrypt your data."
The moral of the story?
Security in depth is a constant process. You need multiple layers of prevention, protection, alerting, and user-education.
[ Make sure that only the right people have access to the right things at the right times with TechBeacon's guide to identity governance. Plus: Download the report on IGA leaders. ]
And finally
Inside the warped imagination of Cyriak Harris
Previously in āAnd finallyā
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites ā¦ so you donāt have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Sheila Sund (cc:by)
[ Explore TechBeacon's guideĀ to SecOpsĀ challenges and opportunities. Plus: DownloadĀ the 2019 State of Security Operations report. ]
Gloss