As I have described in some other writings (I think that it may have even been the one from one last weekend), Ransomware is probably one of the newest forms of Cyber-attacks that is occurring in the mainstream today.
Essentially, with this kind of threat, a Cyber attacker will hold your computer for “Ransom”, by locking your files and your screen. They only way to get out of this is to pay a Ransom, usually in the form of a virtual currency such as that of a Bitcoin.
But even paying this up is no guarantee either, as the Cyber attacker could very well just take your money and run, without giving you the decrypting algorithms that are needed to unlock your computer. Well, there is now a new variant of this threat which is coming out, and it is known as the “Ransom hack”. You will see how it got this name after I put more context into it.
Just recently, the European Union put some new legislation in place called the “General Data Protection Regulation”, or “GDPR” for short.
This can be likened to some of the laws we have here in the United States like HIPAA, which mandates that certain protocols have to be in place in order to protect patient data and that it is only being used by authorized healthcare professionals only. If not, healthcare companies could face hefty fines.
But, the key with HIPAA was that it was rolled out into phases, over a period of time, for the various healthcare institutions to adjust to this new law and come into compliance with it. But apparently, the European Union is greatly ratcheting up the time frame in which businesses and corporations in order to make sure that their privacy policies are in place and to quickly ensure they are in compliance.
If not, the penalties are even harsher than it is here in the United States – up to 20 Million Euros, or 4% of net profit, whichever is greater of the two (YOUCH). Because of this huge fear of coming into compliance, European business entities are thus literally scrambling at the last minute to come into this level of compliance – and as a result, mistakes are being made.
The Cyber attacker is fully aware of this and are playing upon both this time pressure and human fear; and thus, are extorting businesses by in a new form of cyberattack dubbed “ransom hack”, as just described earlier.
However, it should be noted that this new form of attack differs from regular Ransomware attacks since it does not lock up computer screens or hold customer data hostage in return for a steep ransom. Rather, the aim of the Cyberattacker is to publicly leak out the customers’ private records via a public server online unless the ransom is paid up in full usually by Bitcoin or some other type of virtual currency.
So far, it appears that only SMBs in Bulgaria have been specifically targeted with this new kind of attack. The ransom is actually quite low when it is compared to the stiff fines that the European companies face, as described earlier. So far, this has ranged only from $1,000 to $20,000.
Although many European companies have claimed to have come into compliance with the GDPR, they have yet failed to Penetration Test or actually execute other mechanisms in order to make sure that their lines of defense are actually secure.
As a result, companies may be tempted to quietly pay the Cyber attacker rather than have data breaches and security breaches disclosed to the public and having to pay huge the penalties.
Really in the end this just a newer form of what is known as “Digital Extortion”. Although at the present time the Cyber attacker is only demanding smaller amounts of money, it could rachet up very quickly, as this quote explains it:
“Companies will have ransom prices associated with them that cybercriminals can determine by taking publicly available financial details and working out the respective maximum GDPR fines the companies could face. This will drive an increase in breach attempts and ransom demands.” (SOURCE: https://cyware.com/news/ransomhack-cybercriminals-already-using-gdpr-to-blackmail-businesses-in-new-extortion-scheme-7d92e871).
My thoughts? Yes, this is a variant of the Ransomware attack, but again, really no technology is being held captive. It is just the confidential information and data that the Cyber attacker can get their hands on and making that publicly available.
And if caught, the company will have to pay that 4% penalty, and face other repercussions such as lost customers and severe reputation damage. So, rather than go through all of this, it just makes sense for the victim company to pay the ransom and move on.
But then again, there is also the real risk that even if a ransom is paid, the Cyber attacker could still leak out customer information and data to the public, and the company will face a huge, financial double whammy: 1) The Ransom, and 2) The 4% penalty. So really in the end, this is more of a Social Engineering attack than anything else.
So, what is a European company to do? First things first, get your IT Infrastructure Pen Tested no matter what!!! Also, take the time to make sure that you really are coming into compliance. Yes, time is of essence, but it is absolutely crucial to get things right the first time, rather than doing things in haste which will cost you more money in the end.
And to US based SMBs: Beware of this new threat: The Cyber threat knows no defined geographic boundaries and could even hit you tomorrow.