One of the big headlines in the past few weeks has been the emergence of ‘ransomhack’ – “a new form of cyberattack” which leverages GDPR in its ransom demands.
Holding compromised companies and their data to ransom has proved an effective tactic – ransomware attacks rose 350% last year, and hit 54% of organisations. An estimated $301 million was paid to attackers between Q2 2016 and Q2 2017, and recently published research suggests that losses from ransomware will exceed $8 billion in 2018.
Though ransomware activity has made less of a splash in the press this year, Bulgarian cybersecurity company TAD GROUP sees ‘ransomhack’ as its spiritual successor.
In a recent blog post, TAD GROUP discussed “the emergence of a new method for blackmailing the market” in response to the introduction of GDPR. According to the company, this new method (which it has dubbed ‘ransomhack’) targets medium and large scale Bulgarian companies. Working off the successful ransomware model, the hackers hold data to ransom – but rather than encrypting it and threatening to make it irretrievable, they threaten to leak the data and expose the breach.
The company suggests that companies engage penetration testing, awareness training and social engineering tests (all of which, conveniently, TAD GROUP offers) to avoid becoming victims themselves.
The well-known price tag GDPR’s maximum fines put on a breach – up to 4% of the global annual turnover for the previous year, or €20 million, whichever is higher – make it easy for a hacker to simply find out how much a company could be fined, and make sure their ransom demand is substantially lower. The ransoms observed by TAD GROUP range from $1,000 to $20,000, which, if the alternative is the maximum fine under GDPR, represent a considerable discount.
At this point, before the issuing of fines for breaches disclosed under GDPR, it’s hard to tell whether the maximum fine is likely to be issued. Maximum fines certainly weren’t the norm in the UK before GDPR came into effect, but given the widespread publicity the new regulation received, it’s possible that the ICO will – at least at first – err on the steep side to avoid being seen as all bark and no bite.
The concept of ‘ransomhack’ has taken off, with journals such as Silicon Angle bringing it to a wider audience than TAD GROUP perhaps anticipated. And it’s not exactly a shock – Trend Micro’s predictions for 2018, for example, saw this method of leveraging GDPR coming a mile off.
But is holding data to ransom really a brand-new concept? Is it really yet another thing we can blame on GDPR?
The explicit mention of GDPR may be new, but threat actors demanding payment to prevent them from exposing a breach is hardly cutting-edge, nor is it Europe-specific. Liberty Holdings (South Africa), Ticketfly (USA), and both Bank of Montreal and Canadian Imperial Bank of Commerce’s online bank Simplii Financial (Canada) are all examples outside the European Union.
If any of the targeted institutions hold data on EU citizens, of course, they would be subject to GDPR regardless of where their operations are based, but none of the leaked threats in these cases seem to mention GDPR fines. And the latter example, in which the hackers demanded a ransom of a million Canadian dollars’ worth of Ripple tokens, demonstrates that even without a specific price to undercut, ransom demands can be pricey.
As well as non-EU victims of ‘ransomhack’, attackers threatening to expose a breach unless paid off is nothing new. It was the modus operandi of the ‘Rex Mundi’ group, for example, from at least 2012. Victims of the group, which in its early years publicised its activities heavily online, included AmeriCash Advance, Drake International, AlfaNet, Domino’s Pizza, and Banque Cantonale de Geneve (BCGE), among others.
The group typically operated by hacking into companies’ networks, stealing private information, and holding it ransom. In addition to demanding a fee for not leaking the details, on occasion they would also offer to reveal the vulnerability which allowed them entry to the systems for an additional sum, and charge interest for days’ delay in paying. By the time the arrest of several members over the past year put the group’s activities to a halt, the system was well-oiled and professional.
Overt hacker groups like Rex Mundi aren’t the only ones with a history of this behaviour. Cybersecurity company Tiversa was accused of “corporate blackmail” after a former employee testified that the firm sought out vulnerabilities in companies’ security, led them to believe that the vulnerability had been exploited by known criminals, and then offered them a chance to engage Tiversa’s incident response services. The alternative, according to the whistleblower, was that Tiversa would tip off federal data regulators, and leave the company facing court cases, fines, and heavy reputational damage.
What’s more, given the nature of these ransom schemes, we have to assume that for every case we hear about, there are plenty that never came to light because the company agreed to pay off the attackers.
Even now, with cybersecurity supposedly being taken more seriously, one in three businesses say they’d rather pay a ransom than invest in cybersecurity.
So what’s new about ‘ransomhack’? Well, there’s the name, which arguably has a cooler, more ‘cyber’-y ring to it than plain old extortion. And of course there’s the threat of GDPR fines – though it’s hardly surprising that we’re only seeing those now that they’re enforceable.
Many people have asked what GDPR will really mean for companies that suffer data breaches. With stricter data breach reporting regulations, more and more breaches are being announced, including at big-name organisations such as Adidas, Ticketmaster and Monzo – and that’s just in the past week.
‘Alert fatigue’ is a problem for a lot of cybersecurity professionals – ‘breach notification fatigue’ might be set to become one for consumers. If so, and if data protection authorities maintain the ICO’s record of issuing relatively forgiving fines, ‘ransomhack’ attacks leveraging GDPR fines as a threat may either see a fall-off or a reduction in price.
Whatever happens, it’s unlikely to spell the end of hackers extorting compromised companies. If hackers think they can turn a higher profit, expend less effort or take fewer risks by extorting a company than by selling the stolen data online, that’s what they’ll do. It’s what they’ve done for years.
Consultants, cybersecurity providers and, yes, journalists too, have been riding the GDPR wave as far as it’ll take them, but when the next big thing comes along they’ll jump ship just as happily. Why should we expect any less from hackers?