There is a vast digital crime wave unleashing against public and private sector organizations around the world.

The rise of crimeware, also known as software designed to commit a crime, is so significant that analysts predict the global market could reach a value of $10.5 trillion as soon as 2025.

Ransomware has enjoyed a renaissance as of late. Cring, REvil, Ryuk, Maze, and Conti all make international headlines and are tied to high-profile exploit attempts at market-leading companies worldwide.

< Back to Tag
Mar 23, 2022

Cybersecurity Legal and Compliance Focus: State of Ransomware

There is a vast digital crime wave unleashing against public and private sector organizations around the world.  The rise of crimeware, also known as software designed to commit a crime, is so significant that analysts predict the global market could reach a value of $10.5 trillion as soon as 2025.  Ransomware has enjoyed a renaissance as of late. Cring, REvil, Ryuk, Maze, and Conti all make international headlines and are tied to high-profile exploit attempts at market-leading companies worldwide.  The recent REvil attack on Taiwanese computer producer Acer has been cited as the most significant ransomware attack ever carried out and demanded a $50 million payment be issued to thwart its effects.  Ransomware is on the rise, and your organization needs to respond: 
  • Ransomware threat actors launch 4,000 attacks daily.
  • Only .03% of all emails scanned by filter systems are identified as ransomware.
  • On any given day, companies are estimated to pay around $250,000 in ransomware demands, though the average cost of an attack is $732,520 when the demands are not met and $1,448,458 when they are. 
  • On average, there are approximately 19 days of downtime in between ransomware attacks though many threat actors move much, much quicker. 
  • In just 2019, 19 new ransomware variants were discovered, and in the first quarter of 2021, there are 16 new types.
  • Every 11 seconds, another business is targeted with a ransomware attack.
  • In just 2021, the estimated cost to resolve ransomware attacks stands at $20 billion.
For better or worse, ransomware seems here to stay. It's time for cybersecurity professionals to work more actively with legal advisory and compliance teams to ensure best practices are being followed to safeguard data and prevent further losses if an attack is levied against organizations.  In this piece, we explore the state of ransomware in 2021 and provide actionable insights about how legal and compliance teams can work alongside infosec professionals to counter the devastating effects of cybercrime.
unsplash

Ransomware, Data Breaches, Information Security and Your Organization

In 1989, the world endured a crimeware first when the AIDS Trojan/PC Cyborg was sent by Harvard-trained evolutionary biologist Joseph L. Popp to attendees of the World Health Organization's International AIDS Conference. The 200,000 discs labeled "AIDS Information – Introductory Diskettes" would subsequently encrypt user data once placed inside a computer and demand a $189 payment be directed to a PO Box set up in Panama.  As hard to believe as they may sound for those less experienced with the world of information security, the modus operandi of a modern ransomware attack works similarly to this first attack. Consider Cring.  Cring is the latest crypto-ransomware variant. It works by encrypting user data using a series of advanced exploits leading to a grand finale. Users receive a note demanding two bitcoins be paid to a specific wallet address, or the files can never be retrieved again. Sensitive data could fall further into the hands of enterprising criminals.  In 2020 alone, the world was rocked with the following high-profile ransomware attacks: 
  • ISS World: In February of 2020, Danish facilities management company ISS World was hit with a $74 million demand to restore vital employee and operational data access. 
  • Cognizant: In April of 2020, IT services provider Cognizant was attacked with a ransomware attack estimated to cost between $50-70 million. 
  • Sopra Steria: In October of 2020, Sopra Steria was attacked by a Ryuk-based ransomware demand that reduced its operating budget by at least $50 million. 
This year in 2021, ransomware has seen a dramatic uptick as criminal organizations and state and non-state threat actors have taken advantage of the chaos and uncertainty caused by global pandemics and lockdowns. With so many companies suffering due to new market conditions, it has been the perfect opportunity for criminals to unleash ransomware attacks to pursue even more lucrative prizes. 
unsplash

How to Respond to a Data Breach Caused by Ransomware 

Responding to ransomware is a complex undertaking. We advise you to take all necessary precautions to gain the information you need to know how to adequately respond to a data breach without running afoul of the law or further comprising the data guiding your organization’s success.  There are specific legal and compliance-related issues to consider depending on what industries your organization work alongside.  The following list is not conclusive but offers insight about what to keep in mind should you or your partners experience a data breach caused by ransomware: 

Healthcare

Under HIPAA's Breach Notification guidelines, covered organizations such as hospitals, insurance providers, ambulance services are required by law to notify customers and the Department of Health and Human Services when protected health information is compromised due to unauthorized access.  Due diligence must occur to ensure that if your organization handles any healthcare-related data on behalf of clients, you have systems in place to safeguard sensitive medical records. 

Consumer banks and loan companies

Under the GLBA, the Federal Trade Commission has enforced data protection rules concerning consumer banking and finance through the Safeguards Rule. According to the FTC, ransomware and malware, in general, do not require notification to be sent to customers. Service providers are recommended to inform customers of an adverse threat, but there is no legal requirement.

Brokers, dealers, investment advisors

The Securities and Exchange Commission (SEC) is responsible for regulating investment activity at these organizations. Under the GBLA, the SEC created Regulation S-P that has created a specific breach response program. This program recommends informing customers of a breach but does not explicitly require it by law. 

Investment banks, national banks, private bankers

The Federal Reserve and Treasury Department agencies have created their own rules for responding to a data breach caused by crimeware. These guidelines require that notification only be necessary when there has been a clear and present "misuse" of sensitive data. They also indicate precisely how information disclosure must occur and in what specific language.

US state laws

New Jersey and Connecticut are the only US states with specific breach notification laws drafted on the books. Nonetheless, there are examples of cases where individuals and organizations argue they should have been notified by events that were transnational or beyond the limits of state boundaries. 

EU data laws

The Data Protection Directive (DPD) created a specific framework for disclosing data breaches in the EU. The EU General Data Protection Regulation (GDPR) is a powerful law regarding disclosures following a breach.  Currently, there are specific guidelines related to how severe a data breach caused by a ransomware event is. In any case, legal and compliance professionals must work alongside information security teams to mitigate ongoing threats caused by ransomware and data breaches.
Want to Enjoy Your Holiday Weekend? Prepare for the Likely Cyberattacks First. RCE Vulnerability found in Cisco Small Business RV Series routers