Extortionists like multiple levers
In my last blog, I wrote about the perils of data growth and the increased ‘attack surface’ it presents, which was part of a wider message on data and sustainability. Here, I’m digging into the security aspect of data growth, how it relates to cyber-attacks and especially to ransomware.
Let’s start with the mind of the attacker. The more hooks they have you on, the more likely you are to pay. Even now, organisations (commercial & public sector) are still falling victim to ransomware without a reliable cyber-recovery strategy. If your attacker infiltrates your organisation undetected for months, not only can they encrypt your data, but they can also extract it. This is an increasing problem, known as leakware, or double extortion.
The idea behind leakware is that in addition to encrypting your data, the attackers will also make exfiltrated sensitive data publicly available. The idea is to scare you into paying the ransom not just to get back access to your encrypted data, but also to avoid regulatory fines and/or lawsuits. Both can be eye-watering in scale, and despite the headlines GDPR isn’t the scary one here – class action suits could cost many times more1. There’s also the addition of brand-damage which can really hurt you depending on the sector you operate in. Leaked legal, financial, or medical records are particularly devastating, and research indicates that a data breach in a small or medium business leads to closure of the company in up to 60% of cases2.
Ransomware-as-a-Service doesn’t come with an SLA
The murky world of ransomware has a lot of variability. Ransomware-as-a-Service means you could be hit by an inexperienced hacker looking to make a fast buck, or a ‘professional’ criminal gang with capabilities that rival that of nation states.
So, on the upside they might be bluffing about having your data… but how can you tell for sure? If they offer you a sample or file names, ask to see everything. It’s easy to make copies and a professional gang can (somewhat ironically) give you a secure connection. They wont worry about storage costs either. This will also give you some time to check your security logs, and to engage a crisis/breach management specialist3.
Doh! They have our sensitive data!
‘Well, that’s just bad luck, isn’t it?’ Unfortunately, regulators and litigation lawyers will always see the answer to that as ‘no’. From un-patched firewalls and VPNs to unsecured cloud buckets, and rogue employees, it’s always the fault of the organisation, and it’s the organisation that ultimately pays up. Er, but…
- My data was encrypted! Encrypting data at a storage level doesn’t help if hackers have user-level access
- The user shouldn’t have had the breached data in the first place! Still your fault – training, access controls, data policy etc.
- It was the database admin that made an insecure copy. A control issue: DBAs should not have un-checked access that enables them to make unauthorised copies
- How can we pay that much??? Maybe you shouldn’t have collected personal data that you didn’t explicitly need, or held on to data for so long
Where (and when?) did you park your time machine?
Sadly, if you’re in a situation right now where leakware has led to a confirmed data breach, you have very few options. ‘What about my cyber-insurance?’ I hear you say. Before you rely on it (or buy it) I recommend you research it carefully – many experts question its impact and its value4.
If you operate in the EU, and personal data on EU citizens is compromised, you MUST report a data breach to the supervisor authority within 72 hours. The UK’s Data Protection Act 2018 is the same. Regulations in other countries vary but trying to keep a breach quiet will invariably get you into more trouble and will always lead to larger fines than ‘fessing up’. You also have a duty to your customers (and suppliers) to notify them so that they can take any necessary action to protect themselves – failures here will harm you in court if that’s where you end up.
Ultimately, for leakware to work the cyber criminals are relying on your integrity falling short. If it does and you pay the crooks, how can you be sure they will delete the copies they have? You really can’t.
Three steps you can take today to mitigate the risk of leakware:
- Have a security review. Employ some security specialists to assess your organisation and importantly, act on what they say
- Sort your data out. Data growth increases your attack surface (risk) and costs you lots of money. Profile your data and expire, secure and archive based on content and business policy. Automate it for the future or you’ll end up in the same state again
- Get a training program in place. Your users are a big risk factor, and they are also your eyes and ears. Training helps reduce risk and spot issues early
No security is fool proof, so in addition to these steps having a backup and disaster recovery system that is resilient to ransomware is also critical. Look for a zero-trust security model, immutable backups, and air-gapped cloud storage as a minimum. These won’t help with leakware but are essential components of any serious ransomware risk mitigation strategy.
As I said in my last blog, sorting out your data can save you buckets of money, enough to beef up your security and train your staff, with change to spare. I can’t see any boardroom turning that down.
1: EasyJet example: DPA 2018 (GDPR) states that companies who fail to secure personal data can be fined up to 4% of their turnover – for EasyJet in 2019 it was a little over £6B; pre-pandemic law firm PGMBM planned to file an £18 billion class-action lawsuit for the same breach. While neither are likely to meet the headline figures, the company could end up paying out on both
2: 6 Potential Long-Term Impacts of a Data Breach, Security Intelligence, Nov 2021 https://securityintelligence.com/articles/long-term-impacts-security-breach/
3: Crisis management companies can provide forensic security services, expert IT support, legal help and reputational damage management – but don’t wait until you need one to research them
4: Cyber-Insurance Fuels Ransomware Payment Surge, security Threatpost, June 2021 https://threatpost.com/cyber-insurance-ransomware-payments/166580/