Morphisec Cybersecurity Blog

Is GDPR Making Ransomware Worse?

Written by Matthew Delman | August 11, 2021 at 1:00 PM

As a landmark piece of legislation, the General Data Protection Regulation (GDPR) was undoubtedly created with the safety and privacy of European consumers’ personal data in mind. However, while certainly designed with good intentions, the GDPR, which applies to every organization that deals with EU citizens’ data, could be hurting consumers in another way. GDPR may be making it easier for ransomware operators to do business. 

Although a data breach does not automatically mean that an affected organization is in violation of GDPR, a breach caused by inadequate IT security could, and often does, result in a victimized company being held accountable.

For example, in 2020, British Airways was fined £20 million for “poor security arrangements” that made it possible for cybercriminals to exfiltrate data belonging to around 500,000 customers. In this case, British Airways got off easy: the initial fine proposed was £183 million. 

With penalties of a minimum of €20 million, falling foul of what is still the strictest data law in the world is not an option for most businesses. This is not lost on cybercriminals. Although data privacy experts and lawyers alike puzzled over the question of whether or not a ransomware attack would qualify as a “data breach,” today, the answer is painstakingly clear. Threatened with double extortion, businesses held to ransom have little choice: they can either pay their extortionists or pay data protection authorities.

Double Extortion Ransomware Is the New Normal

In 2020, more than 1,000 companies saw their sensitive information revealed online after they refused to pay a ransom. Behind this growing wave of information, exposure is a new cybercriminal tactic known as “double extortion”.

These types of attacks, where hackers also exfiltrate data before encrypting it, are popular because they increase the likelihood that a victim will pay the ransom demanded of them. The reason why is that, even if the organization under attack has backup files, cybercriminals can threaten to leak, sell, or auction off the data exfiltrated if payment is not made. Caught between a rock and a hard place, double extortion can make paying a ransom seem like the only way out for victimized organizations. 

As a way of ensuring adversaries profit, double extortion attacks are proliferating. In 2020, 15 different ransomware families used double extortion compared to just 1 in 2019. Moreover, almost half of all ransomware families discovered in 2020 used this attack method. With threat actors focusing on extortion as a primary ransomware approach and encryption potentially falling by the wayside, double extortion is predicted to be a defining trend in 2021, too.

GDPR Puts an Extra Squeeze on Extortion Efforts

Although the rise of double extortion is a global problem, European businesses that come under GDPR and face non-compliance fines for allowing data to be exposed are a particularly ripe target for extortion-minded cybercriminals.

As a result, GDPR is paradoxically becoming a tool for financially motivated threat groups. For example, last year, when cybercriminals came across unsecured MongoDB databases online, they not only threatened to leak the data found but also to directly report impacted companies to the appropriate authorities if they did not pay up. “Under the rules of the law, you face a heavy fine or arrest,” read part of their ransom note, warning that the companies contacted had 48 hours to transfer a bitcoin denominated ransom to threat actors’ accounts.

In cases like these, paying a ransom can be an obvious choice for victims. Considering that non-compliance can result in substantial fines — up to €20 million for severe violations or 4% of their global turnover, whichever is greater — that is understandable. Ironically, as GDPR fines and regulators’ power grow further, Europol’s advice of not paying attackers a ransom is becoming more difficult to follow. 

In a 2018 survey, almost half of UK IT directors said they would “definitely” pay a ransom to cybercriminals to avoid having to report a data breach under GDPR, while 30% said they would “probably” pay if the ransom was lower than the potential fine — which it often is. Accordingly, GDPR fines have the unintended consequence of providing a benchmark for ransom demands to hackers. With GDPR forming a handy pricing guide, cybercriminals can calculate the possible penalty an organization would pay under the data privacy law and then set their ransom demand slightly lower.

Paying a Ransom Is Not a Solution, Proactive Defense Is

Unfortunately for victimized organizations, ransoms are not a way out either. Keeping quiet and giving in to cybercriminals’ demands does not necessarily mean that a ransomware attack will go away. 

In many cases, threat actors still publicize stolen data, either purposely or accidentally, after successfully blackmailing a company. For example, the ransomware groups Netwalker and Mespinoza have, in the past, posted confidential data publicly even though they received ransom payments from the organizations they hacked. Re-extortion is also regrettably common. 

Case in point: the ransomware group Sodinokibi is known to threaten victims with exposing the same data weeks after they pay the initial ransom. More recently, there have been reports of rogue criminals that have supposedly broken away from ransomware groups getting in touch with the extorted company and threatening to leak the information they have already paid to keep safe. 

In some countries, paying a ransom may also be against the law. In the U.K., payors could be prosecuted if it turned out that the payee had links to terrorism under the Terrorism Act 2000. Even if paying off cybercriminals does not break any laws, keeping an attack under wraps is still a mistake and could come back to haunt a business in the future. 

This is exactly what happened to Uber after it paid cybercriminals $100,000 to keep quiet about a breach that exposed the personal information from 570,000 accounts. When the incident inevitably came to light, Uber’s CSO was fired, and the company had to pay a $148 million fine in the US and a £385,000 penalty in Europe.

Consequently, rather than relying on ransom payments, organizations need to make sure that an attack does not happen in the first place. A preventative cybersecurity strategy that leverages deterministic solutions like Morphisec Guard alongside a refreshed approach to network security is, therefore, a must. Being hit with a ransomware attack can make organizations feel trapped, but with proactive defense, that doesn’t need to be the case.