You are here

You are here

Ransomware takes horrific pivot to data leakage

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings Industry analyst and editor, RJAssociates
 

And you thought ransomware was only about losing your files when a bad guy encrypted them? Think again: Now the perps are copying your data and threatening to leak it if you don’t pay.

Hello, GDPR, CCPA, et al. Indeed, some authorities have it that any ransomware infection is a reportable event.

So much for “don’t pay the ransom.” In this week’s Security Blogwatch, we try to think about something else.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: cyriak.

[ Learn what matters in cloud security and privacy in TechBeacon's Guide. Plus: Get this white paper on selecting the right cloud encryption and key management tools. ]

Ransomware = breach

What’s the craic? Lawrence Abrams reports—Ransomware attacks are now data breaches:

A new tactic by ransomware developers is to release a victim's data if they do not pay the ransom. While we have seen these threats in the past, only recently have ransomware operators … actually followed through.

While it has been a well-known secret that ransomware actors snoop through victim's data, and in many cases steal it before the data is encrypted, they never actually carried out their threats of releasing it. … Even though this should be considered a data breach, many ransomware victims simply swept it under the rug in the hopes that nobody would ever find out.

Now that ransomware operators are releasing victim's data, this will need to change. … Companies will have to treat these attacks like data breaches.

Climb aboard the Brian Krebs cycle—Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up:

As if the scourge of ransomware wasn’t bad enough already. … As shocking as this new development may be to some, it’s not like the bad guys haven’t warned us.

This is especially ghastly news for companies that may already face steep … penalties for failing to … safeguard their customers’ data. For example, healthcare providers are required to report ransomware incidents to the U.S. Department of Health and Human Services.

Yikes. sparrish has the tl;dr:

Before, if you didn't pay, you didn't get your data back. Now, you don't pay, they expose all your data to the world. For some companies, that will be a significantly more compelling reason to pay the ransom.

Wait. Pause. All this makes Microsoft’s latest advice ring hollow. Ola Peters asks—to pay or not to pay?:

We regularly get asked by customers about “paying the ransom” following a ransomware attack. … The unfortunate truth about most organizations is that they are often only left with the only option of paying the ransom.

We never encourage a ransomware victim to pay any form of ransom demand. Paying a ransom is often expensive, dangerous … only refuels the attackers [and] equates to a proverbial pat on the back for the attackers.

To which Luthair replies with a resounding “meh”:

I don't hate Microsoft, but why would anyone care what they think? This is the equivalent of Ford stating that they don't encourage bank tellers to hand over money in the event of a robbery.

Arguably, a ransomware infection could already be seen as a breach, under GDPR. Or so says Pointless_noise:

PII unrecoverable from a ransomware attack is already a data breach under article 4 paragraph 12. Also it could be argued that the encryption of data by a malicious 3rd party could be unlawful "alteration" therefore again a data breach.

My point being if your company is not treating ransomware encrypting PII as a data breach it probably should be.

And buboard agrees, sliding into told-you-so territory:

Some of us mentioned that this would happen once GDPR came out. Not disclosing breaches is now a punishable offense, and this becomes a weapon in the hands of malicious hackers.

There is a case to be made for making it unprofitable for hackers to run such operations. The law here does the opposite by making it more lucrative.

So JFT explains the underlying problem:

The problem here [is] the apathy from companies who are breached. We don’t do enough to train people who work with networked computers how to handle them. … But couple that with a lack of spending by companies on basic security, and you have a situation that is ripe for exploitation.

The problem is countries like Russia, North Korea, Iran, etc. are funding these criminals. … China is the most adept at this.

Don’t be fooled, this is the next Cold War. The only difference is information security, rather than nukes is going to be the solution. And we can end it just like the US ended the Cold War: starving the enemy by making it overwhelmingly costly and difficult to attempt data breaches.

In a less tinfoil-hatty vein, here’s alvinrod:

We've got all kinds of alphabet agencies and other miscellaneous government spooks … so why not just let them take the gloves off and sort things out. From a marketing perspective I don't think it's too hard to spin the attacks against hospitals, etc. [to get] about half of the country behind it.

Once a few bodies pile up I think that people will start to get the message. It won't stop the state actors targeting the state or military, but that's a separate ball game anyway.

[And] I think people would generally be on board with our own government agencies using U.S. companies and utilities for practice to help find and patch vulnerabilities. Normally the laws prevent well-meaning individuals from doing those things … but if the government does it there's a lot less protest, particularly since they're probably already spying on most of the country anyway.

Meanwhile, here’s tomp:

Looks like they're doing our job. First, the message was "backup your data." Now, they also added "encrypt your data."

The moral of the story?

Security in depth is a constant process. You need multiple layers of prevention, protection, alerting, and user-education.

[ Get up to speed on new privacy laws with this Webcast: California’s own GDPR? It’s not alone. Plus: Go deeper with TechBeacon's guide to GDPR and CCPA. ]

And finally

Inside the warped imagination of Cyriak Harris

Previously in “And finally”


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Sheila Sund (cc:by)

[ Get on top of access with TechBeacon's guide to identity governance. Plus: Learn how to secure and manage cloud-based Linux resources with Active Directory in this Webinar. ]