Last week we reported that a new wave of ransomware is threatening OT security. The Snake file encrypting ransomware, for example, includes code that has the explicit goal of causing process disruption.
Another facet of this new OT and IoT ransomware onslaught is malware that aims to exfiltrate data and threaten to leak it, potentially damaging a company’s reputation.
Additionally, the threat actors behind this type of attack might calculate the fine a company would face under GDPR for improperly disclosing personal data. They then set their ransom below the penalty, to encourage payout.
Successful attacks such as DoppelPaymer demonstrate that extorting large organizations can be much more profitable than attacking unsuspecting individuals. Let’s consider the dynamics of this type of threat, and the risks it poses to asset owners.
OT Ransomware that Threatens an Organization’s Reputation
The DoppelPaymer ransomware made headlines in 2019 after attacking and extorting various large organizations. Targeted ransomware like DoppelPaymer, BitPaymer, SamSam, Ryuk and others attack large businesses because this tactic can be much more profitable than attacking unsuspecting individuals. Disruption to a company’s operations can be costly, which is something that threat actors leverage in their attempts to force victims to pay the requested ransom.
The DoppelPaymer operators recently launched a website, initially only reachable via the Tor network but now also accessible on the clearnet. The purpose of the site is to leak data stolen from victims who refused to pay the ransom. A large state-owned petroleum company suffered a ransomware attack back in November 2019. It is now featured as a victim on DoppelPaymer’s website, along with telecommunications and other companies.
DoppelPaymer isn’t the first ransomware to exfiltrate data and threaten to leak it if the requested ransom isn’t paid. We’ve also seen this with Maze ransomware, where exfiltrated data was released after companies refused to pay. Ransomware can pose a further threat in relation to the General Data Protection Regulation (GDPR).
OT Ransomware that Exposes an Organization to GDPR Penalties
A ransomware attack can include the compromise of personal data. If the victim is in the European Union, they are required to report the incident to a local data protection authority. Knowing this, threat actors calculate the fine a company would face under GDPR, and demand a ransom is that is just under the fine.
Organizations may prefer to pay the ransom and never report the incident. If they were to report an incident to local authorities, they would be investigated and could be fined. In addition, an investigation might turn up other GDPR violations.
On the other hand, a company might prefer the risk of a fine, rather than breaking the law by burying the ransomware incident. If no personal data was stolen, changed or destroyed during the attack, it might not even qualify as a GDPR breach.
New OT Security Threats Require New Incident Response Plans
New ransomware scenarios such as the ones described here should be factored into an organization’s incident response plans. Beyond a technical response, decision makers need to be prepared to weigh the risks and consequences of alternate actions.
Ransomware threat actors typically rely on spear phishing links or vulnerable public services to gain initial entry into a network. Afterwards, they move laterally to gain access to as many nodes of the network as possible, allowing them to increase the magnitude of the disruption.
To protect OT and IoT environments from ransomware, cybersecurity best practices such as strong segmentation, user training, proactive cyber hygiene programs, multi-factor authentication and the use of continuously updated threat intelligence, should be considered.