Ransomware attacks are becoming more prevalent around the world. The sophistication of these attacks is growing and their targets becoming wide-ranging, to the point where the U.S. Department of Justice launched a ransomware task force in April.
The concept of ransomware attacks are straightforward, but where personal data and proper data protection factor in is a little less clear.
Ice Miller Partner Guillermo Christensen and Morrison & Foerster Partner and Co-Chair of the Global Risk & Crisis Management group Alex Iftimie are both in the thick of the ransomware conversation these days. Christensen, a former U.S. Central Intelligence Agency intelligence officer, not only advises on how to respond to ransomware attacks but also has taken part in negotiations with assailants. Iftimie advises Fortune 500 companies on all aspects of breach preparedness and response while also working on sensitive U.S. national security matters, internal investigations and government enforcement actions.
In this first-of-its-kind Member Spotlight, Christensen and Iftimie spoke with IAPP Staff Writer Joe Duball on all things ransomware, specifically highlighting how personal data can be leveraged and how companies can better equip themselves to face attacks.
The Privacy Advisor: I want to start with this DOJ task force, which in itself shows the seriousness of the ransomware issue, but also how the new unit will notably treat matters related to these attacks on the same level the DOJ handles terrorist threats. What do you both make of this parallel being drawn?
Christensen: There's two ways to interpret their words. One is they are going to use a tremendous amount of resources because this is viewed as a serious problem akin to terrorism. That's my charitable view and what I hope they're saying. I really hope they don't view it like terrorism in the other sense, because if they're taking resources away from that fight to do ransomware then we have a problem. We have not yet reached the level of ransomware approaching Sept. 11 or some other major attack. It's also unlucky to get to that level because the threat actors here are looking for gain or profit. They're not right now aiming to terrorize populations. That's not to say ransomware couldn't be used for that purpose, but right now we're looking at it from the perspective of preventing the threat of the tool.
Iftimie: I'm not sure the reality of what's happening on the ground is quite as startling as some of the media has portrayed it. I do think the creation of this centralized task force to deal with issues of ransomware and digital extortion is an indication these threats have reached epidemic proportions. With respect to the comparison to terrorism, I think it's worth parsing the language of the DOJ carefully. What they said is they are using a similar mechanism for centrally organizing and reporting ransomware cases in the same way that is done for terrorism-related cases. Which is to say, rather than having ransomware cases be addressed by local U.S. attorneys offices across the country in a decentralized fashion, the DOJ sees a value to coalescing these cases so there is an ability to learn from similar cases across the country while developing consistent investigative and prosecution tools.
The Privacy Advisor: Ransomware incidents that have recently made headlines, like the attacks on U.S.-based Colonial Pipeline and Brazilian meat producer JBS, did not involve any personal data. Ransomware has been used more exclusively on personal information in the past, but how is it still targeted as these attacks become more sophisticated?
Christensen: The motivation at the outset was to put more pressure on a company to pay quickly. When it's not a Colonial Pipeline or a JBS but more of smaller company that isn't impacting a broader supply chain, the attack can often be kept relatively quiet. The ransomware gangs have been doing this a long time now, and I wouldn't go as far as saying they've perfected the business model, but they've got it down pretty well. So now they know they have the data and the more sophisticated groups have spent the time parsing through the data that is most valuable outside of the ransomware event. In other words, they've stolen data they can sell to other people, like customer lists, on marketplaces where they can make more money on top of the ransomware.
Iftimie: This double extortion scheme is a big hook that has grown in prevalence. They not only deploy ransomware in order to encrypt victims data in place, but they're also stealing data from victims and going after sensitive data in order to use it as a secondary extortion mechanism. Essentially they'll say that they will publish data and embarrass a company and harm the individuals whose data we've stolen unless you pay our ransom. What these actors realize now is their need to get around the fact that in some cases people won't pay them because they'd rather recover from backups. Now they'll steal data, so even if there are backups, the company will still be concerned about the reputational costs of this data being published online.
The Privacy Advisor: Have we moved away from scenarios where ransomware may only target personal data and now this double extortion is the only time we'll see personal information looped in?
Christensen: It's a fundamental flaw in the business plan of these criminals to try and extort people based on having stolen data alone. There is no way to "return" the data. When I am counseling clients on the stolen data, my advice to them is to please don't think about paying to keep the information confidential. It won't work. This kind of theft and subsequent sale has gone on for a long time without ransomware. If you're going to just steal data for re-sell purposes, you can make a ton of money on dark marketplaces, but you don't tell people you have the data. So the ransomware model, where you admit to your hacking, really works against this idea of an anonymous theft.
The Privacy Advisor: So with attacks that loop in personal data, there's clear grounds for a company to initiate data breach notification protocols, right?
Iftimie: The fact the threat actors have accessed data and stolen it is, in basically every legal framework, sufficient to trigger whatever legal obligations a company will have to make notifications to an individual and regulators. An extortion payment subsequently deleting the stolen data does not generally obviate a victim's need to go through the legal analysis and deal with the consequences that data was accessed and stolen. You're not off the hook just because the bad guy deleted the information. The calculus for these decisions are most often about reputational consequences, but you really can't count on the bad actors to actually delete the data. They may provide you with screenshots or logs that purport to data being deleted, but we know these actors are going to monetize the data they've stolen in whatever way possible. You really have no guarantees.
The Privacy Advisor: As far as data security measures go, what are some of the tactics you are advising clients to use in order to mitigate risks of a breach via ransomware?
Christensen: Every single account with network access, internal or external, should be protected with a second layer of required authentication. It should not involve text message-based numbers because we can see how easily they can get compromised. That's probably numbers one through five since people, for some reason, just don't do it even when you tell them. You have to look at other areas of potential access too, like especially these days with the so-called remote access protocol. If it's not secured and used in a way that is corruptible, it's like the hacker is sitting at your computer. If you have those services they have to be completely secured, and if you don't really need them then don't use them.
Iftimie: Ransomware groups are incentivized by the financial payout. They are going to look for the easiest ways into the most number of systems because this is a game of big numbers for them. The more ransomware they install, the more payouts they'll receive. They're not the sophisticated nation-state hackers spending months exploiting a system. They're going to take that low-hanging fruit. If organizations can eliminate the exposure to those easy pathways providing that low-hanging fruit then they will decrease the risk of being a victim to one of these attacks many times over.
Photo by Keagan Henman on Unsplash