Dear privacy pros,
Shortly after my last introduction, where I alluded to the rise of xenophobic attacks stemming from the identification of coronavirus variants with a particular country, the World Health Organization formally adopted a new naming scheme for variants of the SARS-CoV-2 virus using letters from the Greek alphabet.
Unfortunately, based on recent news reports, I don’t think the situation has improved. Note to editors: Calling the B16172 variant “the Delta variant of the virus first detected in India” kind of defeats the purpose of adopting the new labeling convention.
Since my last letter, there have been several developments in the ransomware space. Hot on the heels of the Colonial Pipeline incident, there was a cyberattack on JBS USA, one of the world’s largest meat processors. JBS paid the ransom of approximately $11 million in bitcoins to the Russian-linked REvil group responsible for the attack.
Closer to home, Singapore's Personal Data Protection Commission published a couple of decisions on breaches associated with ransomware attacks. In one case, health care training provider HMI Institute of Health Sciences was fined $35,000 for an incident that resulted in the unauthorized access of personal data of more than 110,000 people. HMI allegedly left a well-known vulnerability open for more than four years, resulting in hackers gaining access and installing ransomware that encrypted and denied access to various files on the affected server.
In another decision, web design firm Webcada was fined $25,000 for, among other breaches, failing to configure tools used for remote monitoring and managing its database servers correctly. This resulted in a ransomware attack that exposed the personal data of 522,722 customers of online shopping websites Webcada designed for its clients. The companies did not pay ransom in either incident.
In the wake of the Colonial Pipeline hack, the U.S. Department of Justice elevated investigations of ransomware attacks to a similar priority as terrorism. Earlier this week, President Biden and other leaders of G-7 nations committed to working together to address the escalating threat posed by such attacks.
It is possible these such efforts are already beginning to bear fruit. The DOJ recovered $2.3 million of the ransom paid to the criminal hacking group DarkSide by following the Bitcoin transaction trail. How the money was seized is still a bit of a mystery, but the FBI was apparently able to lay their hands on the private encryption keys for the custodial account containing the bitcoins. One might speculate this may have something to do with the Trojan horse messaging app AnoM, which FBI and law enforcement agencies in other countries secretly encouraged suspected criminals to use for more than two years. If so, such large-scale eavesdropping of private encrypted communications and entrapment, even to bust crime and recover ill-gotten gains, raises some challenging privacy and other legal issues.
Finally, it is interesting to note the reports that DarkSide shut down its operations, as has Avaddon, the hacking group responsible for the AXA ransomware attack. Avaddon even gave away the decryption keys for nearly 3,000 victims of its ransomware attack, which software company Emsisoft used to create a free tool for victims to decrypt their files. The Maze Collective, another group allegedly responsible for ransomware attacks on companies including Canon, Xerox and Cognizant, has closed operations.
I will leave you to ponder whether these groups are ceasing operations because they have made enough money or whether they are just getting too much unwanted attention right now.