It’s pretty shameful that in the current crisis we’re seeing ransomware on the rise. It’s even more shameful that organisations involved in fighting the virus seem to be especially at risk. Last year ransomware targeted healthcare more than any other industry, accounting for 29% of total ransomware attacks, according to Beazley’s 2020 Breach Briefing report. Recent events suggest that attacks are up as the COVID-19 virus spreads, with criminals working on the theory that an organisation desperate to unlock its data is now more likely to pay.
What techniques are hackers using?
A ransomware attack uses malware that encrypts or otherwise restricts access to computers, system or data by exploiting system vulnerabilities. The attackers demand that the victim pays money (usually in cybercurrency such as Bitcoin) to receive the decryption key or recover access.
The main ways that a ransomware ‘payload’ can enter an organisation’s network are via:
- an attachment to an email (usually framed as something important or “urgent”);
- remote access and remote control applications; or
- removable media and personally owned devices.
The criminals usually exploit a vulnerability in the operating system or other installed software, which then starts the encryption process.
What’s the worst that can happen?
The impact of a ransomware attack can be severe and far-reaching. For the corporate victim, it can mean business disruption, financial loss and reputational damage.
For those whose data has been compromised, this could mean that critical data is rendered inaccessible or disclosed to unauthorised people – in some cases this could include sensitive data.
In terms of data protection law impact, GDPR imposes key requirements relating to security. Controllers must take appropriate technical and organisational measures (TOMs) to keep personal data secure against loss or destruction.
Where a ransomware attack means that an organisation is unable to restore compromised data, this could constitute a breach of GDPR on the basis that appropriate measures have not been taken to keep the data secure.
If a personal data breach has occurred, this will need to be reported by the controller organisation to the relevant data protection regulator(s) (in the U.K. the Information Commissioner’s Office (ICO)) within 72 hours, unless the personal data breach is unlikely to result in a risk to individuals. If the personal data breach is likely to result in a high risk to individuals, the controller needs to also communicate the breach to individuals whose data has been compromised without undue delay.
It is possible that the incident may not amount to a reportable personal data breach if:
- a working copy of the data can be restored from back-ups, then the loss of data may not be permanent; and / or
- it can be established that the data being held ransom has not been accessed or misused.
We know that a number of organisations who have suffered a ransomware attack have argued that because the data has not left their systems no data breach has occurred. That’s unlikely to be correct. There’s detailed guidance on this at an EU level. Individual data protection authorities have issued guidance too for example the ICO’s guidance says that even if it can restore data from back-up an organisation “would still need to look at the circumstances of the case to determine whether or not there were appropriate measures in place which could have prevented the attack from succeeding”.
Organisations that fail to meet their security obligations under the GDPR face high fines as follows:
|GDPR Provision||Requirement||Maximum Fines|
|Article 5(1)(f)||For not ensuring that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).||The higher of €20,000,000 and up to 4% of the total worldwide annual turnover of the preceding financial year|
|Article 32||For not implementing appropriate TOMs to ensure a level of security appropriate to the risk, including as appropriate:
||The higher of €10,000,000 and up to 2% of the total worldwide annual turnover of the preceding financial year|
Fines and other enforcement action can also be incurred for failing to report a personal data breach and not fully cooperating with the data protection regulator. If the breach has a cross-border impact, this could potentially mean fines from multiple regulators in different jurisdictions.
What are some examples of recent ransomware attacks?
In May 2017, the world was gripped by the “WannaCry” ransomware attack, which encrypted files on infected machines unless the victim paid a $300 million ransom. The NHS in the UK was hit particularly hard because it had not upgraded to the most recent versions of the Windows operating system. The press reported that the attack is estimated to have cost the NHS £92 million.
In March 2019, aluminium producer Norsk Hydro’s systems were infected with the LockerGoga ransomware, resulting in a drop in productivity at the organisation’s 171 sites. The company’s financial reports stated that the ransomware attack resulted in a drop in profits of 82%. The company has spent an estimated £60 million on restoring data from recent back-ups, which it luckily had – not all companies do.
In a series of sophisticated attacks spanning from mid-2019 to early 2020, hacker group Maze has reportedly exfiltrated a range of organisations’ data before locking victims out of their networks. If a victim does not pay the Bitcoin ransom (up to millions of dollars’ worth in some cases), the group posts the victim’s name and sensitive data relating to them on its website. Its victims have included law firms and companies in various other industries, mainly US-based but also French firm Bouygues Construction. The FBI is investigating. Just this week it was reported that Maze had published personal and medical details of thousands of former patients of a London-based medical research company after a failed attack. It was said that this organisation was on standby to carry out trials of a possible future vaccine for COVID-19.
Redcar and Cleveland Borough Council
Last month the Council reportedly experienced a security incident targeting its website and affecting 135,000 people when its appointment bookings, planning documents, social care advice and council housing complaints systems were taken offline. The Council has disclosed that its systems are being rebuilt and they are being assisted by the National Cyber Security Centre (NSSC), prompting speculation that Ransomware is involved (as restoring data is the main alternative to negotiating with criminals). The ICO has said the Council self-reported. Any action to be taken by the regulator remains to be seen.
On 31 December 2019 Travelex’s systems were reportedly brought down by a ransomware attack thought to have been carried out using similar techniques to the Maze attacks mentioned above. Interestingly, the ICO has said that, whilst it is advising Travelex on the data breach, the company has not reported the breach to the ICO. In a statement, the company has said that there was “still no evidence to date that any data has been exfiltrated”.
How can you prepare to be in the best position to manage such attacks?
Each attack will be different but there are many things that organisations can do to harden its defences including:
- Making sure your systems are fit for purpose. In our earlier alert on the data protection aspects of COVID-19 we looked at some measures to take now that home working is on the increase. You can read that alert here www.bit.ly/gdrpvirus
- For remote access and remote control applications, using strong credentials, two-factor authentication where possible, and ensure the application itself is kept up-to-date.
- Using anti-malware and antivirus software tools and services, and blacklisting malicious websites.
- Routinely applying software patches – and doing that quickly.
- Backing up critical data and encrypting this.
- Only having a core group of administrators and implementing appropriate access controls and user privileges. You should regularly review those privileges too and change them when an employee leaves the organisation or moves role.
- Segmenting the network so that damaged suffered in an attack is contained.
- Managing data import and export by scanning for malicious content.
- Regularly removing or disabling redundant software.
- Only using supported operating systems and other software wherever possible.
- Developing and maintaining an incident response plan.
- Developing and implementing anti-malware policies and standards and regularly reviewing these to take into account emerging threats and organisational changes.
- Training employees and raising awareness about ransomware and other cyber threats, such how to identify phishing emails and suspect sites, not connecting unapproved removable media or personally owned devices to the corporate network and how to report a security incident. As we’ve said before some anti-phishing training is simply not fit for purpose. Make sure that your training reflects current not historic risks and forms of attack.
- Running simulated ransomware attacks / testing.
The National Cyber Security Centre (NSSC) has published a page on malware in its “10-steps to cyber security” series: https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps/malware-prevention
What damage control can you do once you’ve been attacked?
You should follow your incident response and business continuity plans. If the attack already happened, the FBI recommends the following mitigation steps (amongst other measures):
- Executing a network-wide password reset;
- Scanning system back-ups for registry persistence;
- Scanning system back-ups for other malware infections, particularly IcedID banking Trojan, Trickbot, and/or Emotet;
- Auditing logs for unexpected network traffic and mitigating as necessary.
You are likely to need Specialist help.
You should consider extremely carefully if a ransom demand should be met – even if the ransom is paid, there is no guarantee that the attacker will hand over the key and it will spur on the attackers to attack more organisations if they think that no one will stop them. There is at least anecdotal evidence that those who pay ransoms are more likely to be hit. Some police forces advise you to never pay a ransom.
These are challenging times and organisations will have to balance multiple priorities currently. The threat is real however and organisations should do what they can to become more resilient given the rise in attacks.
There is more information on ransomware in different languages here https://www.nomoreransom.org/en/index.html
For more information please contact Katherine Eyres, Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||
Katherine Eyres, Cordery, Lexis House, 30 Farringdon Street, London EC4A 4HH
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785||Office: +44 (0)20 7075 1786|