David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager at Bora, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, Barkly and others.

New “Ransomhack” Campaigns Threaten to Expose Companies to Regulatory Fines for Unsecured Virtual Infrastructure

 

Bad actors are launching a new type of attack campaign called “ransomhacking” that threatens to expose companies to regulatory fines for improperly securing their virtual infrastructure.

Security firm TAD Group detected the operation targeting medium- and large-sized Bulgarian companies in late-June 2018. Those businesses each received an email in which attackers threatened to publish their corporate databases containing personal information to a public server. In so doing, the malefactors said they were prepared to publicly demonstrate that the companies had not taken adequate steps to properly defend their customers’ data.

What makes this attack so consequential is not the use of crypto-ransomware, a category of malware which encrypts victims’ files and demands a ransom payment in exchange for the decryption key. It’s the possible threat of punitive fines facing companies for implementing weak security measures. These companies could incur such penalties for breaching frameworks like the European Union’s General Data Protection Regulation (GDPR) and Australia’s Notifiable Data Breaches scheme. These penalizations aren’t inconsequential. Under GDPR, non-compliant companies face fines amounting to 20 million Euros or four percent of annual global turnover, whichever is higher.

It’s unclear whether those behind the “ransomhacking” attacks offered evidence of their unauthorized access to victimized companies’ databases or whether they were just making empty threats. What is clear, however, is that these individuals offered businesses a choice: risk the imposition of regulatory fines or pay a ransom. The attackers’ demands ranged in value from $1,000 to $20,000.

According to TAD Group, the companies did everything required of them by the Commission for Personal Data Protection (CPDP), Bulgaria’s data protection authority, to safeguard their internal databases. But they reportedly did not take all the necessary steps to properly bolster the security of their web-accessible infrastructure.

Ivan Todorov, founder of TAD Group, explains companies can’t afford such oversights in the age of GDPR. As quoted by HackRead:

The cybersecurity as a whole is ever changing – if a system is not prone to successful attacks today, this does not necessarily mean that it will not be vulnerable in a month’s time. New vulnerabilities and exploits that lead to information leaks are emerging every day. This is why the more often these tests are performed, the more secure companies can feel.

In Todorov’s estimation, companies can best protect their infrastructure accessible from the Internet by conducting penetration tests at least twice a year.

That’s not all companies should do. First, organizations should make sure their employees know their obligations as well as the obligations of the business under GDPR and other relevant data protection standards. They should therefore look into investing in GDPR compliance training for their entire workforce.

Second, businesses should endeavor to make scammers’ lives as difficult as possible. That includes not falling for a simple scam email and empowering employees to report suspicious emails so that they can help security teams investigate potential security issues before they evolve into major security incidents. Ongoing security awareness training for all employees can help build this line of defense in the organization.