The threats from ransomware cyber attacks have become more costly and take up a sizable portion of malware incidents. According to IBM’s Cost of a data breach report, the average cost of a ransomware breach is $4.44m, and according to the Verizon Data breach investigations report, ransomware makes up 27% of malware incidents.
Part of the reason for this large percentage and share of incidents is that ransomware attacks that target privacy data come with multiple threats.
The first threat is that the data has been encrypted and computer operations do not know how to decrypt it.
The second threat is that before announcing the event on your organisation’s network, the attackers also encrypted all the backups because they have been in the network infrastructure for some time and have determined where the backups are.
The third threat is that prior to the announcement and encrypting the data, they made a copy for themselves. They did this so they could blackmail the targeted organisation with the threat of exposing the data, with privacy data the biggest concern. This last threat is known as doxing.
A fourth threat is that they will return because their malware is deeply embedded and hidden in your network, and a final threat is that if you pay you are on a list of sources of “revenue.” With these multiple threats, there comes a higher likelihood of payment.
What can be done about ransomware, and in particular, doxing? To address this multi-threat we need to break it down into components.
The first component is the data type. Although personal data is the primary concern of this article, it is by no means the only type of targeted data that can be used to blackmail the organisation. Corporate secrets, proprietary software and ISACA Journal designs, as well as financial data are some other examples. For an understanding of the seven categories of privacy data, refer to the article Privacy – key ingredients to information privacy planning.
A second component is understanding data loss prevention (DLP), which includes the topics of where the data is located, data types of risk and what can be done about data loss.
A third component is ransomware itself. A definition of ransomware, an explanation of cyber insurance, response options, and safeguards and countermeasures can be found in the ISACA Journal article Ransomware response, safeguards and countermeasures.
Prevention is another key component and it consists of many subcomponents, including practising cyber hygiene, implementing information security and privacy awareness, identifying the signs of a ransomware attack and partnering with security companies.
The means of intrusion also should be taken into account. Cyber intrusions can be accomplished by malicious email (via social engineering), wireless devices (due to software vulnerabilities), and the internet of things (IoT), which are all growing threats because some don’t have malware prevention techniques built into them.
In my blog post on responding to and protecting against ransomware, I provide advice specific to school systems, but I would like to add the following advice to address doxing.
First, his threat can be applied to a majority of businesses and organisations because all acquire personal and privacy-related data when people complete employment applications, so don’t ignore the threat.
Second, be aware that software vulnerabilities exist in almost all software including those that provide a virtual private network (VPN) connection and those not included in your patch management program. Vigilance for zero-day attacks and quick responses are critical components to a defense-in-depth cyber protection program. Using this information should help in your quest of preventing a ransomware event.