Ransomware: It’s time to bring cybersecurity audits up to GDPR status
Cybersecurity standards should be treated in the same way as legislative data protection rules in response to cyberattacks including ransomware incidents, a security expert has proposed.
Ransomware has transitioned from a thorn in the side of individuals and a nebulous concern against organizations to a real, and frequent, threat that can result in catastrophic damage to corporate networks, the loss of client records, and the potential leak of confidential corporate information.
Ransomware variants include WannaCry, Petya, Ryuk, and Gandcrab — but there are many, many others. Once a computer system has been compromised, this form of malicious code will encrypt disks and files and will demand a ransom payment in return for a decryption key.
According to Check Point, the number of daily ransomware attacks worldwide has increased by half over the past three months — close to doubling in the United States alone — as threat actors take advantage of the operational disruption and rapid shift to home working caused by COVID-19.
Ezat Dayeh, Senior Engineer Manager UK&I at Cohesity, told ZDNet in an interview that the company has seen a recent and “dramatic” increase in the volumes of ransomware incidents.
As more people are working from home due to COVID-19, this may have introduced new risk factors — but the increasing sophistication of such attacks is of concern, too.
“When we think about two or three years ago, when people were hit with ransomware, nine out of ten times they would basically say, “it’s definitely impacted production, we’ve got issues, but we can go back to our backups,” and worst-case scenario, we will just do a restore,” Dayeh said. “But now, with that sophistication, the bad guys know this. Ransomware can come into a network [and] it won’t do anything but it will start looking around and see what it can access on the network.”
After this period of reconnaissance, malware operators are now more likely to head straight to backups. If these can be successfully encrypted before IT administrators are alerted to an infection, this takes away the safety net and cyberattackers are more likely to succeed in their demands for payment.
The problem is, few ransomware victims choose to go to the police, and some organizations will simply pay up to brush the incident under the carpet, according to Europol.
The more victims pay up, the more lucrative the criminal enterprise, and the ransomware industry then continues to gain traction as more threat actors adopt these forms of attack.
Combine underreporting, submission to blackmail, and adding fuel to a criminal industry and you have a problem. This challenge was recently raised by the US Treasury’s Office of Foreign Assets Control (OFAC), which published guidelines (.PDF) on cases where paying a ransom could violate US sanctions.
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands
but also may risk violating OFAC regulations,” the department says.
In cases where a “sanctions nexus” — a transaction between a US entity and a banned group, such as high-profile ransomware operators — may take place, OFAC says that the department must be contacted first.
However, few companies may be willing to reveal a ransomware incident, and with this in mind, the OFAC has sweetened the pot by promising they will be looked upon “favorably” if paying a ransom does violate sanctions.
One of the issues with these guidelines, Dayeh says, is that pushing the agenda of a company committing a criminal offense when they pay up in order to save their business could inadvertently encourage them to remain silent when a cyberattack occurs — and it may also penalize smaller companies that can’t absorb the cost of remedying a ransomware attack that destroys all of their data.
CNET: Amazon doubles down on Echo home security. What to know
Potentially either pay up, salvage operations, and potentially face criminal charges, or wind down the company, in other words.
“I can see the rationale behind it because we don’t want to encourage these bad actors,” the executive commented. “If people are paying them, it’s easy money.”
One solution, however, may be to go back to basics and “level the playing field,” Dayeh says, by enforcing security audits along the lines of how the EU’s General Data Protection Regulation (GDPR) treats data controllers.
“Everything needs to be audited,” Dayeh added. “You need to be audited to find out all you’re able. Because at least it gives the company a fighting chance and it gives them the ability to think about how they go to address problems. And if they still don’t address it, and they’ve been told “you are vulnerable,” then this should go all the way — in my mind — to the CEO.”
TechRepublic: Vulnerable supply chains introduce increasingly interconnected attack surfaces
GDPR attempts to treat organizations and data controllers on an even playing field, and failures come with the possibility of fines based on a firm’s annual turnover.
If security audits were handled in the same way, with rules for everyone to try and follow, this could promote a better basic cybersecurity standard as well as awareness of how organizations are expected to maintain a reasonable security posture — especially important at a time when potentially devastating attacks, including ransomware, are on the rise.
“We should come out with at least some sort of guideline for people to follow; tick these boxes and you should be alright,” Dayeh said. “But to leave it to the market and let businesses get on with it on their own [can be] dangerous.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0