A New Form of Ransomware
The British shipping company Clarksons was hacked and decided not to pay the ransom. So far, nothing new. No ransom, no data.
Well, maybe, they had backups that they could restore – and thumb their nose at the hackers.
I think this is becoming a bigger problem for hackers. As a result, hackers are changing tactics.
There are still plenty of vanilla ransomware attacks that want your money in exchange for the encryption key.
But now there are many that say that if you don’t pay up we are going to publish what we hacked.
There is a very important distinction between these two types of attacks. In the traditional attack, it is presumed (but not known) that the hackers did not steal your data – that they did not make a copy of it and upload it somewhere. In this attack, in order for it to work, the hacker had to steal the data. ONE THING THIS MEANS IS THAT, UNLESS YOU CAN PROVE THE HACKERS ARE LIEING, YOU LIKELY HAD A REPORTABLE BREACH IF YOU ARE IN AN INDUSTRY OR STATE THAT REQUIRES YOU TO REPORT BREACHES. I don’t even play a lawyer on the Internet, but I think you are going to be hard pressed to convince regulators that your data was not compromised.
This concept is not far fetched; in fact, hackers have done this (recently) before. For this type of attack, whether you have backups or not doesn’t really matter. What matters is what are the consequences of this data being made public.
In this case, Clarksons has said that they are not paying the ransom and expect the data to be made public.
Of course we have no way of know IF the attackers will really expose the data (I guess we could call that a revenge-release) and Clarksons has been very tight lipped about what was taken and how much was taken.
What they have said is be prepared for stuff to be released.
So, I guess, we wait. And see. Stay tuned.
For the rest of us, we have a new cyber security worry. Making backups and having a disaster recovery plan won’t help with this one. The only way to protect yourself from this one is the keep the bad guys out.
One other thought. Data that doesn’t exist can’t be hacked so it is useful to consider the trade-off between keeping data that might, some day, be useful to someone, maybe and data that can be hacked. This is not always an easy decision, but one that needs to be made.
A corollary to this is that we may need this data for legal or archival reasons, but does it need to be available, online, to all employees. An example of this might be a mortgage company. They may need to keep the loan package for all closed and declined loans for seven years, but what if those loans are stored on a disk? In a bank vault? It could be difficult to hack. Just saying.
Information for this post came from The Register.