Ransomhack - a new scheme for blackmailing business owners
On 25 May 2018, the new European General Data Protection Regulation (GDPR) which aims to improve information security on a global scale came into force. At the same time this provoked the emergence of a new method for blackmailing the market.
Business owners are reporting that they are being a subject to hacker attacks related to ransomware where personal data that belongs to users or customers are exposed and demanded ransom for in return for their retrieval. This time cybercriminals aim to disclosure private information to the public eye rather than encrypt it so it is unobtainable unless paid for.
Hackers threaten to publish the entire content of the database, containing personal data records, on a public server, that according to the regulation, means that the company will be severely fined.
The victims are medium and large scale Bulgarian companies which are requested to pay a ransom in an untraceable cryptocurrency. The ransoms vary from $ 1,000 to $ 20,000, while the fines for companies that the new EU regulation envisions account for 4% of the global annual turnover for the previous year or up to 20 million euros. In short, we can call this type of hacker attacks "ransomhack".
From credible sources, it becomes clear that the attacked companies have taken in GDPR protection measures by creating policies for personal data storage and security in their offices but have not conducted information security tests to verify whether they are actually susceptible to virtual attacks from cybercriminals. In other words, they did what is necessary to achieve compliance with the requirements of the Commission for Personal Data Protection. However, most companies did not consider securing their Internet-facing infrastructure. The opinion of companies offering cybersecurity solutions is that the only way to ensure a higher grade of security against cyberattacks is to undertake tests for information security – otherwise known as penetration tests.
The tests are a simulation of targeted cyberattacks, except that they are not done with criminal intentions but deliberately with the exclusive permission from clients and in accordance with their specific needs. The goal is to use methods and techniques utilized by malicious third-parties in order to detect and patch security vulnerabilities.
The cybersecurity as a whole is everchanging - if a system is not prone to successful attacks today, this does does not necessarily mean that it will not be vulnerable in a month's time. New vulnerabilities and exploits that lead to information leaks are emerging every day. This is why the more often these tests are performed, the more secure companies can feel.
As the disruption in cybersecurity is often a consequence of human error, companies would benefit from the so-called social engineering tests. They are a set of tests carried out against employees operating from within the company’s headquarters and offices – usually via phone or e-mail, without employee’s knowledge. A wide variety of techniques are applied in order to force employees to disclose sensitive or confidential business information to affiliates who should not have access to it otherwise.
Companies that have already become a victim of a cybercrime have the obligation to inform the regulatory authority within 72 hours of confirming the data breach. For Bulgaria the regulatory authority is the Commission for Personal Data Protection, which has to assess what sanctions to impose after a data breach occurs. However, if a company does not inform the regulator in time, sanctions will surely be imposed and their severity will differ for the worse.