Ransomware has long been a scourge. Since at least 2012, ransomware has grown dramatically. Ransoms have increased — the average ransom payout is now more than $40,000. Organizations most hit are public sector, software services, professional services, and healthcare. Healthcare, in particular, is a soft target because of the need to get systems back and running quickly. According to a McAfee report, ransomware attacks more than doubled in 2019. An FBI warning from fall 2019 didn’t indicate an increase in the number of attacks but did show an increase in the targeting and severity of the attacks: “Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.”
For a long time, a debate has raged about whether to pay the ransom. Some argue that the ransom should never be paid, but organizations facing the loss of their data might not have much of a choice. But if organizations back up their data, then they can they can avoid paying the ransoms and restore their data. But now there’s a new development in ransomware that is particularly troubling and that makes paying the ransoms a necessity even when data is backed up. Ransomware groups are now threatening to release an organization’s data online if the ransom isn’t paid.
This year, five law firms were hit with Maze Ransomware. Instead of just encrypting the data, the ransomware group exfiltrated it first and then posted a small amount of it online. The group threatened to post the remainder of the data online unless the ransom was paid. According to one article: “Recent reports have shown the hacking group behind Maze ransomware has been steadily posting the data of its victims online after the organizations fail to pay the ransom demand. A compiled list of victims shows the data of several healthcare organizations are included in those postings, despite a lack of public reporting of those incidents.”
The extortion isn’t just limited to the breached organizations anymore. After one facial reconstruction practice was hacked, “[p]atients actually reported receiving extortion demands from the hackers after the provider refused to pay the ransom to release the medical data they stole during the cyberattack.”
If organizations don’t pay, they risk exposing the personal data of their customers, patients, or clients – or having these people extorted. Imagine a hospital — can it refuse to pay the ransom and risk exposure of their patients’ health information? Imagine a law firm with sensitive client information – can they not pay the ransom and let the information be posted online?
Once the ransom is paid, there’s no guarantee that the ransomware group will stop its blackmail. As long as the group has the data, the threat of blackmail remains – for the organizations as well as for the people whose data is involved.
Maze Ransomware emerged in November 2019, and is currently on the prowl, and other groups have started to use this practice of threatening the privacy of personal data. These developments have prompted an FBI warning. Ransomware now has a new terrifying dimension.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
TeachPrivacy Vignette on Ransomware
A Large Library of Data Security
NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.