Ransomware attackers are charging millions to cover up GDPR breaches

Cyber criminals have developed a new way of strong-arming people into paying ransomware demands, according to a Sophos report.

The state of ransomware 2020 discusses the evolution in ransomware attacks, from the ‘spray and pay’ tactic to sophisticated and tailored attacks that exploit people’s fears over their data breach notification requirements under the GDPR (General Data Protection Regulation).

The Regulation states that organisations must report data breaches within 72 hours of discovering them. However, the fraudsters claim – erroneously – that by paying up, the organisation won’t need to disclose the incident.

Double extortion

Sophos’s report found that attackers are increasingly taking a more hands-on approach, researching their targets in advance to learn what type of business they do and what information they store The crooks then use this information to communicate directly with their targets and to “double extort” them.

For example, the scammers might say: “You’ve got to pay the ransom if you want to get the keys, but you also need to pay us to keep quiet or we’re going to tell the regulators and you’re going to have a GDPR violation or a [California Consumer Privacy Act] violation […] or HIPAA [breach]”.

This method of attack greatly increases the amount of money they could extort.

Rather than simply demanding an amount of money that would incentivise the organisation to pay up rather than facing the costs of repairing the damage, the criminals can add on the amount of money the organisations might otherwise be fined.

There are still plenty of criminals using the traditional attack method, which is to target as many organisations as possible and hope that some will pay up.

But as businesses have begun to understand that paying ransoms isn’t a viable or ethical solution – because it encourages and perhaps funds future attacks – attackers are having to work harder to force victims to comply.

Prevent ransomware attacks

Chester Wisniewski, principal research scientist at Sophos, says that organisations can protect themselves from cyber extortion with defence measures such as artificial intelligence and staff awareness training.

However, he adds that the most effective thing organisations can do is to simply not pay.

Sophos found that businesses spend the same amount recovering from the attack whether they pay the ransom or not.

And, of course, paying a ransom doesn’t rid you of your GDPR requirements. Regulators won’t care whether you’ve paid the ransom and had assurances that the data wasn’t misused. A data breach has occurred the moment the criminals have accessed your sensitive data.

You would be much better off spending your money on preventive measures or on incident response, which would enable you to mitigate further damage and let those affected understand how they can stay safe.

Plus, if enough organisations follow this strategy, criminals will realise that ransomware isn’t an effective strategy, giving you one less thing to worry about.

If you want advice on how to respond to a security incident, take a look at our GDPR Data Breach Support Service.

Our specialist team will take the lead and guide you through the process, helping you balance your responsibilities while you can focus on your business operations.

Learn more