Ransomware has now come full circle. The ability to encrypt files was one of the core capabilities needed to make ransomware a viable cyber crime. However, cyber criminals no longer need to encrypt your files to hold you hostage. Why? Because they’ll think you’ll pay up just to stop your data going public.
There are two types of data that are particular targets for this type of attack. The first is personal data, information on an individual, sometimes called personally identifiable information (PII). Over recent years legislation to protect personal data has strengthened significantly, with pan-national (such as GDPR), national, regional, and industry-specific laws in place to protect data.
This legislation comes with very stiff financial penalties for anyone who suffers a relevant data breach – the maximum fine under the GDPR is up to 4% of annual global turnover or €20 million, whichever is greater – for organizations that infringe its requirements. Cyber criminals are able to hold organizations hostage with the threat of releasing personal information, thereby opening up the victim to the consequences of a data breach.
In October 2019 the City of Johannesburg in South Africa suffered an encryption-free ransomware attack. They were attacked by a group calling itself the Shadow Kill Hackers. According to a note shared on Twitter, they didn’t encrypt data. Instead they stole it and threatened to upload it to the internet if the City didn’t pay up. The note read:
All your servers and data have been hacked. We have dozens of back doors inside your
city. We have control of everything in your city. We also compromised all passwords and
sensitive data such as finance and personal population information.
The group reportedly demanded a payment of four Bitcoins (£30,347), although at the time of writing the ransom does not appear to have been paid.
The other type of data particularly at risk from these attacks is intellectual property, or IP. This is often the source of a business’ success – whether it be a secret recipe, a proprietary
technology, or unique data. If that IP got into the public arena it could mean the death knell for the business.
The most public example of this type of ransomware attack was the one experienced by the band Radiohead in mid-2019. Frontman Thom Yorke’s archive was hacked, and the crooks stole 18 hours of unheard music from around the time of the release of the 1997 album OK Computer. The extortionist threatened to make the music public unless the band paid a ransom of US$150,000 – a request that Radiohead eschewed, preferring instead to make the music public themselves in return for an £18 (around $23) donation to aid the climate advocacy group Extinction Rebellion.
Stopping encryption-free attacks means stopping the hackers getting hold of your data. It requires many of the same technologies and behaviors that you need for encrypting ransomware, which is a nice segue into our next section.