Don’t let your company’s reputation be held for ran$om
Did you know that ransomware operators take customer service very seriously? They’ve even gone so far as to establish call centers1 to ensure “customer satisfaction” and prompt service. But what is their currency-in-trade? Your organization’s reputation, confidential data, and your personal information. These attackers are serious about their business of data theft and extortion, collecting your payment via cryptocurrency. This poses serious risks to the confidentiality, privacy, and compliance of your organization. To protect your business from a ransomware attack and avoid becoming the next victim, implementing robust security tools and processes is key.
What is ransomware?
Historically, ransomware was an attack on the availability of underlying data. In this scenario, a hacker encrypts the data, then demands money (i.e., ransom) to decrypt the data. The US Cybersecurity and Infrastructure Security Agency (CISA) defines2 ransomware as “a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”
This “OG” form of ransomware is an attack on the “availability” portion of the CIA triad3 (confidentiality; integrity; availability). By rendering the data and making it inaccessible, the attacker can effectively prevent a business from operating, unless the business is able to rapidly restore the data in a known clean environment. This can be hugely disruptive and expensive for businesses, with CISA reporting that recovering from a ransomware incident4 can cost large entities around $15 million, while some incidents are simply unrecoverable.
Businesses have improved their backup and recovery strategies to mitigate the threats imposed by encryption attacks, specifically on data availability. But attackers adapt too.
How has ransomware evolved from a data availability threat to a confidentiality and privacy threat?
Attackers are imaginative. Availability is not the only destructive aim. As regulations that punish leaks of regulated and/or sensitive data proliferated, it created a market for attackers to demand a ransom to not expose your data publicly. We’ve seen this over and over again with user data — including patient health data5 — as well as with government6 and confidential company information7 . Especially in the case of politically-sensitive information, they might even change the leak to make it more damaging or to fuel disinformation8 .
What strategies are bad actors using?
Attackers often surreptitiously steal (exfiltrate) confidential and private information, often done discreetly over a period of time, and then extort the victim with threat of public embarrassment or data breach (confidentiality extortion) by leaking the stolen data, often in addition to the demanding a ransom for a key to unlock the data (availability extortion). The Center for Internet Security (CIS) refers9 to this combination as “double extortion.”
Further innovation and evolution by ransomware providers and services
The ransomware threat continues to evolve. Actors who want the “easy button” can buy ransomware right off the shelf. Ransomware-as-a-service (RaaS) operators10 provide a complete toolkit and service, splitting profit between the RaaS operator and their affiliates who trigger the attacks, making this form of attack broadly available to even unsophisticated attackers.
And the numbers are up. The Wall Street Journal recently reported11 a recurrence of ransomware related attacks and claims during the first half of 2023. Both the number of insurance claims relating to ransomware, and the total amount paid to attackers, have increased. US cyber insurance prices have continued to rise, up 11% year over year on average in the first quarter of 2023.
Non-financial applications of ransomware
Some news reports involving ransomware are actually referring to something even more malicious. In scenarios involving a nation-state or political actor attack, the malware may appear to be ransomware but the goal of the attacker is not to ransom the data for financial gain, but rather to disrupt through data destruction via a “wiper” attack12. This is particularly relevant to attacks on critical infrastructure (e.g., power plants, water treatment, airports, etc.) for military or strategic gain, or on political opponents13 or disfavored organizations14. The 2017 NotPetya15 wiper attack was a particularly destructive example of this cyberwar technique.
What privacy and security regulations do organizations need to consider in the context of ransomware?
General Data Protection Regulation (GDPR)
Article 3216 of the GDPR specifies “… the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” including “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and service” and “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.
Thus, it is clear that organizations subject to GDPR (and similar privacy regulations) that hold personal data need to implement appropriate organizational measures (i.e., internal processes on data management) and technical measures (i.e., security tooling, including privacy by design features) to mitigate against the threat of ransomware.
Gramm-Leach-Bliley Act (GLBA)
In the US, the GLBA specifies17 in § 314.4 the requirement to “protect against the unauthorized acquisition of customer information” which goes directly to the Confidentiality aspect of the CIA triad. The GLBA also specifies the requirement to “Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control,” which also covers the availability aspect of the CIA triad.
In the US, the Health Insurance Portability and Accountability Act (HIPAA) specifies the Security Rule18 for the protection of electronic personal health information (ePHI). Specifically, per the US Department of Health and Human Services (HHS), “the Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI).”
Because ransomware is an electronic attack on electronically stored information (as opposed to information stored on paper), the Security Rule is of primary relevance in the context of cyber attacks. Per HHS, “The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI” and covered entities must “protect against reasonably anticipated, impermissible uses or disclosures”. Given the prevalence19 of ransomware attacks on the healthcare industry, ransomware may be considered a “reasonably anticipated impermissible use or disclosure.”
How does this pose a privacy threat for organizations, and what are the repercussions?
Besides the damage to an organization’s reputation and public embarrassment, a ransomware attack and subsequent posting of confidential and personal information can result in lawsuits2021 and penalties22 against the victim organization. As an example of regulatory penalties under the GDPR (in this case, the UK GDPR), in February 2022, the UK Information Commissioner’s Office issued a penalty against a UK law firm following a ransomware attack and data leakage.
How can organizations help guard against data encryption and data leakage from a ransomware attack?
A strategy for failover and immutable backups with rapid restore capability, regularly tested, can prevent an encryption attack on the availability of data. This addresses the immediate tactical need to get a business back online quickly to help limit disruption to customers, employees, and revenue and thus “stop the bleeding” during an attack.
But to prevent a “ransom by threat of disclosure” confidentiality attack, one must prevent the attacker from accessing the data in the first place. This means you need to secure all the “doors and windows” to the house. Increasingly, with cloud, this means you need to build your house securely from the start by implementing governance, enforcing requirements around credentials, encryption, and other best practices, and limiting permissions in an ongoing manner. Meanwhile, you’ll want to continuously scan the environment for risks such as overly broad credentials, inappropriate role assignments, etc. Mature organizations also make use of canaries, which ensure that you’ve implemented the controls you think you’ve implemented (some canaries should always fail; others should always go through). Active threat detection techniques such as workload analysis can provide early detections and warnings in the event an attacker does actually get “inside the house” to catch and block the attacker before they are able to encrypt or exfiltrate data.
Traditionally, ransomware actors have taken a patient and stealth approach with a long “dwell-time” between first entering the environment and actually exfiltrating and then encrypting data. This can be countered with early detection techniques, including composite alerts, rapid and repeated scanning of environments and workloads, and using tools which avoid large numbers of false-positive alerts, which can swamp security teams and distract them from the most actionable and relevant alerts.
What compliance risks and penalties may apply to organizations that pay ransoms?
Organizations that suffer a ransomware attack may, out of desperation, consider paying off the attacker and hope to get decryption keys back, and further hope that the attacker won’t also threaten to leak their data (double extortion). This is a risky gamble, for many reasons.
The US Treasury has published cyber-related sanctions guidance23 and specifically guidance related to paying ransomware attackers24. The US Treasury guidance states, “U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.” This Treasury guidance is quite clear on its face: organizations should focus on defense and prevention of ransomware attacks using quality security tools and processes.
Specifically, the Office of Foreign Assets Control (OFAC) has designated many known ransomware actors as sanctioned entities or individuals. If a victim pays off attackers, the victims themselves can violate US sanctions and thus become subject to US Treasury OFAC enforcement actions. The Treasury specifically states “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC”.
Providers of cryptocurrency “mixer” (i.e., obfuscation) sites are also coming under the eye of law enforcement25 and are subject to criminal prosecution26 as well as regulatory sanctions and penalties. Such “mixer” sites are widely used to launder ransom payments and other criminal funds, and help enable the business of ransomware.
Relevance to privacy and compliance practitioners
From a privacy perspective, ransomware followed by a data leakage can result in violation of privacy regulations including GDPR, GLBA, HIPAA, and others which require “technical and organisational measures” (per GDPR) or similar requirements under US and other laws. This is particularly true where the victim organization cannot demonstrate that it has put reasonable security measures in place to 1) protect against a ransomware attack, and 2) prevent data exfiltration in the event of a ransomware attack.
From a compliance perspective, in the event of a successful ransomware attack, organizations may be under enormous pressure to just pay off the attacker to try to get their systems back up and running. However, even in the best case where the attacker provides keys to decrypt the ransomed data, the mere act of paying the attacker can lead to Treasury investigation and potential penalties and resulting reputational damage to the organization.
For privacy and compliance practitioners, ransomware is not just “an IT problem” as the consequences can be far-reaching beyond just the technical domain. Ensuring your organization has strong and comprehensive security systems, tooling, and processes in place can prevent or mitigate the impact of an attack and reduce the privacy and regulatory penalties and “clean up” required after such an event. This is truly a situation where an ounce of prevention is worth more than a pound of cure. And that prevention must be continuous, as the threat is ever-evolving and always looking for an easy entry point back into the former victim, or the next lucrative target.
4 COST OF A CYBER INCIDENT: SYSTEMATIC REVIEW AND CROSS-VALIDATION, OCTOBER 26, 2020,Page 69.
24 OFAC: Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Updated September 21, 2021)