By William Tolson I Vice President, Global Compliance & eDiscovery at Archive 360
Ransomware is a type of malicious software designed to block access to computer systems or computer files until a sum of money is paid as ransom. Most ransomware variations encrypt the files on the affected computer systems, making them inaccessible, and then demand a ransom payment to restore access, usually in the form of Bitcoin. If the ransom is not paid, the encryption keys are destroyed, making the data useless and forcing the company to rebuild its systems and data from the ground up. At this point, many simply suggest the backup tapes can be used to bring the systems and data back to the point right before the system was infected.
The destructive personality of this type of ransomware includes a timer function; the ransomware is not triggered until much later, giving it time to infect all backups over a long period of time. This practice ensures that restoring backup tapes would only restore the infection.
Is a Ransomware Attack a Breach?
A data breach – an action which triggers government breach laws, is an incident in which a computer system is accessed by unauthorized cyber hackers to access customer and employee data such as passwords, credit card numbers, Social Security numbers, banking information, driver’s license numbers, medical records, and other sensitive information for sale to others. The purpose of hacking corporate systems is to use this information for identity theft and fraud purposes.
Until this last year, most ransomware attacks were not technically considered a breach with the accompanying need to alert government agencies, and send out breach notifications to data subjects that could have had PII included in the breach.
Access, Wait, Trigger, Exfiltrate, Encrypt
With these new variants of ransomware – attacks where data is copied to the hacker’s servers before encryption, the various government breach laws are triggered, causing huge expenses, besides the cost of paying the ransom. In fact, the average cost of a data breach globally in 2020 is currently $3.92 million, according to a new report from IBM and the Ponemon Institute. And this is simply the cost of responding to the breach, not the cost of litigation and fines. For example, the current cost of the 2013 Target breach is $252 million and continues to rise (cyber-liability insurance only covered $90 million.)
Since 2019, there have been several variants of this new type of ransomware; Maze, Nemty, Shade, among others. There have been several well-known Maze attacks in the last year, including the City of Pensacola, Allied Universal, and Cognizant. All of these organizations have had sensitive data from the ransomware attack released on the internet.
One aspect of these ransomware attacks that have not been mentioned before, and I hesitate to say it here is the idea of using privacy laws against the targeted company. However, we at the Cyber Security Tech Accord believe its always best to know all risks associated with this ransomware.
Personally, Identifiable Information is the Biggest Liability
What is the one thing in common with all of these ransomware variants? The release of sensitive data on the internet. Sensitive data can include intellectual property (IP), corporate know-how, corporate strategy, future M&A plans, and personal data, as in personally identifiable information (PII).
Consider this scenario. A large multi-national is infected with the Maze ransomware on day 1. It propagates throughout the organization and is included on all full and incremental backup tapes over a six month period. On day 180, it is triggered and immediately begins copying various data repositories to the hacker’s remote servers. Once the data copy is complete, it begins encrypting all servers and repositories overnight. Once the encryption is finished, messages start popping up on computers alerting everyone that the organizational data has been copied and encrypted in place. If $1 million in bitcoin is not paid within one week, the encryption keys may be deleted, and the data be released on the internet.
The company makes a conscious decision not to pay the ransom, and so seven days later, 10% of the data, including employee and customer PII, is released to the internet. One month later, your corporate legal department’s General Counsel receives a letter from the French Data Protection Authority stating that a GDPR action is being initiated for violation of the GDPR – the release of personally identifiable information in violation of the EU law. Your potential fine, depending on circumstances, can be as high as 20 million euros or 4% of total global revenue.
The Wall Street Journal publishes the GDPR action with the possible fines involved. One month later you receive another communication from the ransomware cyber-criminals stating;
“unless you pay us a total of $5 million in bitcoin, another 10% of the data will be released on the internet, and oh, by the way, $5 million is much less than the additional 20 million euros you will be fined for the additional PII leakage. And to make matters worse, we noticed that you have PII from several thousand California citizens so we will be sending an anonymous communication to the Attorney General of the State of California for a California Consumer Privacy Act (CCPA) investigation… have a good day!”
Could this happen? Would the company be held libel under the GDPR and CCPA?
The answer is Yes and Yes. The reality of this scenario is that if your company was unable to stop the ransomware from infecting your enterprise and copying the data, including PII, to the hacker’s servers, then, in fact, your company did violate the law and you will be fined.
I was recently asked the following question about this example; is the second release of the PII considered a separate violation and, therefore, a candidate for a second (huge) fine? Truthfully, I don’t know. There is, as far as I know, no precedent, so if a member of one of the GDPR-related country data protection authorities could contact us on this, we would be happy to publish your opinion.
Additionally, The CCPA law includes a provision called “statutory damages.” Statutory damages eliminates that hurdle by data subjects with the need to prove actual damages (also known as presumed damages.) Instead, if a breach occurred, proof of actual damages is not required for the State or data subject to bring suit.
Is there a solution?
What can organizations do to defend against this new strain of ransomware? Well, there’s both good news and bad news. First, the bad news – cybercriminals getting access to your enterprise is an ongoing challenge, and possible solutions continue to be a combination of hardware, software, and employee data hygiene.
As for the issue of ransomware hackers copying your sensitive data before encryption and then threatening you with GDPR and CCPA outing and fines, there is a straightforward solution. Encrypting all sensitive data (including PII) and storing the encryption keys in a separate location would address this problem. By encrypting sensitive data while at rest in your organization’s repositories, the hacker would not be able to threaten you with GDPR/CCPA exposure. Of course, encrypting data that has already been encrypted would still make the data unusable to the company (unless the ransom was paid). Still, they would not be able to release it to the internet to exact punitive damages to the company. In fact, encrypted data, even if accessed by unauthorized bad actors (if the encryption keys were not accessed), legally speaking, have not been breached. This means breach notification requirements in the CCPA and GDPR privacy laws would not be triggered. To illustrate this concept, in US civil law, an encrypted file that cannot be decrypted due to loss of the encryption key is considered destroyed and, therefore, an issue of spoliation – otherwise known as destruction of evidence.
So at a minimum, sensitive data stored either on-premise or in the cloud should always be encrypted first, and the encryption keys stored separately to ensure sensitive data, subject to the growing numbers of privacy laws, cannot be used in a ransomware/privacy scheme.
This straightforward partial ransomware defense should help CEOs, CISOs, and CROs focus their attention on preventing unauthorized access in the first place.