GDPR has been on everyone’s mind for the last 2 years, especially the organizations that do business in Europe. GDPR is all about accountability – organizations must comply with these new regulations, and they must demonstrate their compliance with detailed documentation. This documentation must showcase that there is a process in place that ensures that personal- and sensitive data are protected and/or can be deleted at the request of the user/organization.
This post is not created to give a complete understanding of the full extent of GDPR, but to point out a trend in the cyber extortion otherwise known as hacker blackmail/ransomware. This can be defined as an online extortion, by holding data hostage. It sounds scary, and under GDRP, any ransomware attacks must be notified within 72 hours of discovery. This could without a doubt hurt the organization’s publicly, and also have financial consequences, but it is a requirement that information about organizations that haven’t complied with GDPR is made public.
The picture above shows the WannaCry ransom note. During the WannaCry outbreak, bitcoin was used to pay the $300 demand needed to unlock the data. Since bitcoin uses blockchain technology, a twitter account called @Actual_Ransom has been following the three blockchains. WannaCry gained around 60 bitcoins, and that is still rising today. If we use today’s bitcoin prices 1 BTC equaling 16,834 USD, the total price for 60 BTC equaling a staggering 1,010,070.40 USD. It is crazy (and scary) to think about the fact that the increase in popularity of bitcoin/cryptocurrency has fueled cybercriminals.
GDPR is coming into force on 25 of May 2018 – security experts predict that hackers or scammers will begin to steal data with ransomware, and then blackmail the victims by threatening to report them to GDPR commissioner. Paying these criminals ransom might be cheaper than risking the maximum fine of either 20 million EURO or 4% of the annual turnover of the organization.
So – how can one protect oneself from this?
Cyber extortioners make easy money by using ransomware, but we must first debunk the myths of what can protect you.
Firewalls or other perimeter defenses are just that – defenses that try to protect you, but even they might not have the correct tools. Most organizations today are not using best practices. Cybercriminals are successful because unused ports, or outdated security protocols are still in place.
Internal IT has a lot of pressure, and are always being downsized, because IT doesn’t make money directly. Many organization’s IT infrastructure was created years ago, and the people that implemented it have since left, leaving gaps of unknown security risks. IT Administrators do not always follow the best practice security approach, mainly because security has been on the back of people’s mind for so long.
Backups are the most overlooked myth. Usually people take backups, but do not actually know how to restore from those backups. Also, organizations often never monitor backups, thus resulting in incomplete backups or filled backup drives.
I remember when I was working in the US and we got affected by ransomware. The first thing I did was to instruct all the employees to unplug the ethernet cable from their computer. This immensely stopped the attack, and allowed us to isolate the computer(s) that got infected. As soon as we found out the user whose computer was infected, we also disabled the Active Directory rights for that user. This brings us to the first prevention method.
- Disconnect from the network immediately, when a breach has been discovered, to reduce not only the amount of your files to be encrypted, but also the files in the shared folders that you could be connected to.
- Do not make payments. Shortly after WannaCry was spreading around the world, the company who leased the email account that allowed you to receive the code in the ransom note was turned off. This caused a lot of organizations who already paid ransom, to not receive the so-called release code. Studies show that only 33% of companies received a release code.
- Consult third-party cyber security experts/organizations to frequently attack your organizations IT infrastructure or applications. It could also be useful to test the feedback of the staff by sending phishing emails to employees as well.
- Backups are listed as a myth, but if done correctly with a detailed backup and recovery test done at least quarterly, could prevent your data being locked out due to the cybercriminals.
Esther Pauline “Eppie” Lederer who used to be an American advice columnist wrote back in 1975, “If you think education is expensive, try ignorance”. This is still true in today’s digital world. Internet ignorance all starts with people’s blind belief that they are secure. Organizations do not spend enough time training their staff in security awareness, and people generally feel a false sense of security provided by firewalls and virus protection software. Organizations will undergo major changes in the coming months due to the new GDPR requirements. This change brings a wonderful opportunity for organizations to go through their security protocols, and spend some time educating every level of employee on how little it takes to be attacked, and how major the impact of a simple attack could be. Cyber extortioners are just sitting there, waiting for us to make a single mistake.