The cybersecurity landscape of 2024 presents an evolving challenge for professionals, particularly in the realm of ransomware. The emerging threats demand not only a strategic realignment in defense mechanisms but also an understanding of the legal implications of these cyberattacks.
Ransomware operations continue to transform, beginning to move away from traditional encryption-based “denial of access” to a focus on the less complex approach of data theft and extortion, or “denial of confidentiality”. The rationale is straightforward: why bother with the complexities of key management, coding cryptographic modules, and avoiding decryption efforts by security experts and public/private initiatives such as nomoreransom.org when you can simply steal the data and demand a ransom to avoid publication? A “data out and cash out” approach negates the challenges of traditional ransomware operations and eliminates the Get Out of Jail Free card of recovery from backups, making data theft and extortion both more efficient and more appealing for cybercriminals.
Indeed, in 2023, even long-standing ransomware threat actor Cl0p made use of zero-day vulnerabilities in both MOVEit and GoAnywhere file transfer software to simply exfiltrate data, eschewing their prior modus operandi of data encryption. BlackCat/ALPHV conducted a “smash and grab” attack against Western Digital demanding a ransom for 10TB of stolen data and took the unusual step of reporting another of their victims, MeridianLink, to the SEC for a failure to disclose data theft. In both these cases, no encryption was deployed. This trend may suggest a continuing interest in zero-day vulnerabilities that expose access to data and services, and there is little doubt that significant lessons will have already been learned in the cybercrime world, regarding the effective monetization of vast quantities of data and victims.
In this new landscape, ironically, encryption emerges as a key defense (of course, in conjunction with those mature backup and recovery procedures). By ensuring that all sensitive data is effectively encrypted, organizations render any exfiltrated data useless to the attackers. Such an approach requires comprehensive encryption of sensitive data at rest, in transit, and during processing. Additionally, regular updates and audits of encryption standards are crucial to stay ahead of potential vulnerabilities.
Encryption works, but deployment is way behind where it should be at this point. Reflecting on my experience from over two decades ago at PGP, it’s evident that encryption technology has made significant strides, but the fear of encryption persists. This fear, which stems from concerns about complexity, cost, and impact on system performance, continues to hinder widespread adoption of encryption and represents a critical vulnerability in today’s threat landscape.
Bonus: Is it a notifiable breach if the data is encrypted? In most cases, no. Are your customers, partners, and staff at risk if the data is encrypted? In most cases, no.
Legally, encrypted data is treated differently in the event of a breach. For instance, under the General Data Protection Regulation (GDPR) in the European Union, breaches of encrypted data do not always necessitate notification to supervisory authorities or affected individuals, provided the encryption renders the data unintelligible to unauthorized persons (Article 34). Similarly, in the United States, several state laws, like the California Consumer Privacy Act (CCPA), have provisions that consider encrypted data differently during breach notifications.
Over the course of the next year or so, I expect to see ransomware threat actors and affiliates becoming more selective. This selective approach will comprise actively seeking out victims known to have cyber incident insurance and the so-called “double-tap” retargeting of organizations already known to have paid a ransom (behavior that has already been noted with variants of AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal). I expect that a market for victim-profiling data will mature, probably as-a-service, similar to the tried and trusted “suckers list” for postal, romance and 419 scams.
Encryption emerges not only as a technological necessity but also as a legal safeguard, highlighting its importance in both defending against and mitigating the consequences of cyberattacks. With the increasing sophistication of ransomware tactics, organizations must prioritize proactive holistic security posture management. This will allow them to address vulnerability discovery and mitigation, misconfiguration detection, and exposure management.
Recognizing the importance and exposure of digital assets is fundamental to security. The focus must be on understanding and enumerating your digital assets, both managed and unmanaged/unknown. This includes data, applications, systems (IT, OT, IoT, IoMT), and measuring your exposure to potential threats. Which services are running? Is the asset exposed to the internet? Can the asset be directly managed? Is the asset currently compliant? What are the consequences to the business if an asset is degraded, compromised, or unavailable? The higher the asset exposure and the greater the criticality, the greater the risk. This approach ensures that time poor vulnerability risk management teams can prioritize most effectively.