Ransomware Attacks Are Now Being Reported as Data Breaches
Ransomware victims are now starting to report ransomware attacks as data breaches.
Health care company Magellan Health is one of the companies that recently acknowledged that ransomware attack constitutes data breach. In May of this year, Magellan Health filed a breach notification with the office of the Attorney General of California stating that it fell victim to a ransomware attack and attackers exfiltrated a subset of data from a single Magellan corporate server. Magellan Health’s notification to its customers and employees states that the notification was done “out of an abundance of caution.”
In April of this year, Cognizant, one of the Fortune 500 companies, admitted that its internal systems fell victim to Maze ransomware which caused service disruptions. Cognizant said, “We are in ongoing communication with our clients and have provided them with Indicators of Compromise (IOCs) and other technical information of a defensive nature.”
In January and February of this year, RailWorks Corporation filed three data breach notifications with California’s Office of the Attorney General. In the notification to its current and former employees, the company said, “RailWorks was the victim of a sophisticated cyberattack in which an unauthorized third party encrypted its servers and systems, which may have involved access to your name, address, Social Security number, date of birth and date of hire/termination and/or retirement.”
The acknowledgment on the part of the ransomware victims that this type of cyberattack is a data breach is important as this allows ransomware victims to notify their employees, customers and other individuals or organizations affected by the data breach. Non-recognition of ransomware as a data breach puts employees and customers data at risk of identity theft and financial ruins.
Ransomware vs. Data Breach
In the past, ransomware and data breach were treated differently.Ransomware is a type of malicious software (malware) that encrypts victims’ computer files and demanding from victims ransom payment in exchange for the decryption keys. In data encryption, plain text data is converted into secret code that can only be accessed using a decryption key.
Data breach, meanwhile, refers to a cyber incident in which data is stolen or taken from the victim’s system without the authorization or knowledge of the owner of the system. For years, most ransomware victims assume that ransomware doesn’t involve data breach.
While there had been reports in the past about stealing of data in ransomware cases, there had been no public admission about data theft in ransomware cases as these had been kept as a secret between the attackers and the victims themselves. To date, almost all ransomware groups admit to stealing victims’ data prior to encryption.
Most of today’s ransomware groups use the 2-stage ransom demand. They first demand from victims ransom after encrypting victims’ computer files. In the event victims refuse to pay ransom afterencryption, most of today’s ransomware groups threaten victims that the continued non-payment of ransom will result in the publication of the stolen data gathered from the victims’ systems prior to encryption.
The ransomware called “Maze” made popular the 2-stage ransom demand and others followed. Maze ransomware made the publication extortion central to their ransomware campaigns. The publication threat exposes the fact that ransomware attackers don’t merely encrypt files, they also steal them.
The recent attempt of the ransomware called “REvil” to auction in an eBay-like style the stolen data from ransomware victims who continue to refuse to pay ransom is another indicator that ransomware attackers steal data prior to encryption.
In the blog post “Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk”, Microsoft Threat Protection Intelligence Team said that “while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.”
How to Prevent and Mitigate the Effects of Ransomware Attacks
Below are some of the preventive and mitigating measures against ransomware attacks:
- Backup
Having a sound backup system is one of the preventive measures in shying away from paying ransom to ransomware attackers. Having a good backup, however, isn’t enough to protect your organization from publication extortion. In addition to a sound backup, security solution should also focus on preventing attackers from entering your organization’s network.
- Keep All Software Up to Date
It’s important to keep all your organization’s software up to date. For instance, the group behind REvil ransomware has been known to exploit unpatched Citrix devices to initially gain access to corporate networks and later install the group’s ransomware. Citrix products are used for connecting to corporate servers and workstations.
As early as January of this year, the Canadian Centre for Cyber Securityhas warned organizations in Canada to disconnect from the internet Citrix devices that are vulnerable to security vulnerability designated as CVE-2019-19781 – a security vulnerability that allows an attacker to gain direct access to an organization’s local network from the internet. Even as Citrix has already released a security update fixing this vulnerability, some organizations have delayed the application of this update, giving attackers an opening into their victims’ networks.
Similar to the group behind REvil ransomware, the group behind Maze ransomware has been known to exploit unpatched systems, in particular, Pulse VPN devices vulnerable to CVE-2019-11510 – a security vulnerability in Pulse VPN devices that allows an unauthenticated remote attacker to perform an arbitrary file reading vulnerability.
It’s important to keep all software up to date specifically software programs that act as middleware between your organization and remote workers such as Citrix and Pulse VPN devices as attackers are quick to exploit unpatched devices.
Ransomware p[resents a real challenge and very real operating and budget pressures, let alone business interruptions resulting in customer dissatisfaction and loss of business. For many organizations it presents a very significant reputational risk.
At GenX, we haveyears of experience mitigating ransomware infection risks and have helped many companies recover within hours, not days or months. Call us today at (416) 920-3000 or email sales@genx.ca to learn how you can get the necessary protection right now, and on-budget.