Anna Delaney: Ransomware experts agree: Don’t buy data deletion promises, and how to avoid being at the heart of a data subject complaint. These stories and more on this week’s ISMG Security Report. Hello, I’m Anna Delaney. Ransomware groups often give victims a number of options. Victims can pay for a decrypter to unlock their data. They can also pay to stop so called double extortion in which attackers are threatening to leak stolen data unless a victim pays, but should the victim ever pay for a promise from attackers to immediately delete stolen data and not sell or leak it to anyone else? Joining me to discuss is our resident ransomware watcher, executive editor Mathew Schwartz. Matt, what’s the word on paying for data deletion promises from crooks?
Mathew Schwartz: I know this might shock you and amaze you. But experts do agree. You should never pay a ransom in return for a promise from attackers to delete stolen data. Doing so is for suckers, you’re just giving money to criminals for nothing in return. Many victims will feel the impulse to do something to try to protect stolen data and perhaps salvage their reputation. And that impulse is understandable, laudable. But as Bill Siegel, CEO of Coveware, has told me it’s too little, too late.
Bill Siegel: Along with that data that left their firewall, that was gone, they failed to protect it and it got stolen. And paying a ransom doesn’t fix that or ameliorate that. It frankly can exacerbate the problem. So there’s no reason to pay in those situations, as well, because the data is out there and you can’t put the toothpaste back in the tip.
Schwartz: Again, the impulse to pay to do something to try and fix the damage is understandable. But other experts I spoke to said they knew of no case where attackers honored any data deletion promise they may have been paid to deliver. Here’s ransomware analyst Allan Liska from Recorded Future.
Allan Liska: They’re not going to delete your data, just flat out, they’re going to pretend to delete your data, they’re going to make a copy of it and then secure delete it in front of you and make a big show of deleting the copy, or even deleting the original and keeping the copy. But they’re not going to delete your data. We’ve seen that time and time again. And I think organizations are fully aware of that. So then the question becomes, will they pay for the illusion that the data has been removed? And I don’t know the answer to that. When your data is going to be out there no matter what, is the bad guy going to display it proudly on their extortion site? Are they going to sell it quietly in an underground forum? That’s essentially what you’re paying for whether you want to admit that or not.
Schwartz: While Allan’s assessment might sound bleak, this is the reality.
Delaney: So Matt, are there any prohibitions against paying these types of ransoms?
Schwartz: Not that I know of. Authorities in the U.S., the UK and many other countries do not prohibit this, provided it doesn’t violate sanctions. Authorities say choosing to pay a ransom is a business decision. From a business standpoint, however, there’s some nuance here. Coveware’s Bill Siegel, for example, says sometimes the only way for a business to recover from an attack is going to be: if it pays, we’re working to decrypt it and hopefully gets that decrypter back. But here they are typically getting something in return for their ransom payment.
Siegel: If you pay a ransom for a decryption tool or key and you get the decryption tool or key, it doesn’t degrade, it doesn’t go away. Bad actors can’t take it back. And then, let’s say, we attack your company, you’ll be able to hopefully recover your data if you’ve done the right diligence and testing upfront. So, quickly, whether or not you’ve paid for something that returns value, because the key works or doesn’t. With data exfiltration, you don’t get anything in return. Can’t audit that threat actors leading the data. You can’t look in every corner of the cybercriminal forum to see if the information is being sold anyway. There’s no way to tell if the bad actor was going to come back and re-extort the organization later on, and in a lot of cases we see it that ends up happening.
Schwartz: Again, the plea from experts is to only pay for something real rather than for a feel good.
Delaney: So then, how many victims are paying for empty promises?
Schwartz: There is so much we don’t know about ransomware, unfortunately. Many attacks never come to light. Many victims never report them. But paying for data deletion promises seems to be enough of a problem that earlier this year, Britain’s privacy watchdog, the ICO, and also the National Cybersecurity Center, part of GCHQ, issued a joint plea to attorneys urging them to advise their clients to never pay a ransom for a data deletion promise. The ICO also emphasized that doing so would not reduce any fines. It might levy for poor cybersecurity practices. All of this is a reminder that many ransomware groups are experts at extortion. They know the psychological levers to use to help – and I use the word help ironically here – to help victims clean up the mess. They are saying, “Pay us more. And we promise that although we’ve done a lot of bad things, in this case, you can trust us.”
Delaney: So the takeaway here seems to be that victims need to know when they’re being played.
Schwartz: Yes, that can be put it in a seasonal context, Anna. Don’t play their reindeer games.
Delaney: The ICO, which enforces the U.K.’s privacy laws, including the General Data Protection Regulation, has published large datasets containing detailed information about breaches of personal data, data subject complaints and the civil investigations it has conducted since the fourth quarter of 2021. The ICO’s move, which came with a relative lack of publicity, has unmasked incidents involving numerous organizations. I asked Edward Machin, an associate in the data privacy and cybersecurity group at law firm Ropes & Gray, what practical steps can and should organizations be taking to avoid being at the heart of a data subject complaint?
Edward Machin: Yeah, I think a strange way being on the list from a breach perspective is not the worst thing because it shows that you have followed the law, whether organizations will think if you have a breach that could go either way in terms of reportability. Do they not report to avoid going on the list, that’s something that some organizations may be thinking about, even though the correct thing to do would be to report. In terms of the other aspects, I think that nothing changes from what we’ve always advised. If you have complaints, if you have subject requests, it’s always best to try and deal with them head on. Don’t bury your head in the sand, try and work to find a solution with the individual or the complainant, because that will likely mean that they don’t think of the ICO, and if they don’t go to the ICO, then the complaint won’t be listed on the Excel. So having processes and procedures in place for identifying what complaints look like, if they come through to a member of call center staff, for example, does that individual know to escalate the complaint and get it sorted within the relevant timeframes? And even if it feels difficult to put those processes in place, I think now businesses will see that if they don’t do that, then they could end up on the list. And there are some organizations, largely public sector organizations that are listed multiple times on multiple lists. And it may be the case that at some point, the ICO will start to see the same name come up again and again. And what was an action that was closed down without further action may be something that they take forward. So it’s certainly something like with the kinds of complaints from individuals not to bury one’s head in the sand that these lists look like they’re going to be something that the ICO does, going forward. So if you don’t want to be on, it’s getting the processes and procedures in place to try and address complaints in a request as quickly and as amicably as possible.
Delaney: And finally, governments and defenders have made great strides to better understand the scope of the ransomware problem and taken steps to disrupt it, says cybersecurity veteran and co-chair of the Ransomware Task Force, Jen Ellis. Our executive editor Mathew Schwartz caught up recently with Jen at Black Hat Europe to discuss recent efforts to battle ransomware, including a new project taken on by think tank RUSI.
Jen Ellis: So RUSI is the Royal United Services Institute. They cover a broad range of things, but more recently have started to do things in cybersecurity and have built up a good reputation in this area, because the work is credible. So they’ve been commissioned by NCSC, the National Cybersecurity Center, which is part of the U.K. Government, to look into what the harm is, what the impact is, what was caused by ransomware attacks. And I can tell you from the ransomware taskforce point of view, we wanted to get to grips with this, we wanted to be able to make it more tangible for people and say, “This is the impact on the economy or this is the impact on people’s lives.” And to be able to quantify it in some way and qualify in some way, and humanize it. And it’s hard because people don’t want to share their stories. And law enforcement doesn’t want to share data and nobody wants to share data. And so we found it extremely difficult to get to that point of being able to do that. And so now RUSI has taken that challenge of, and said, “we are going to see if we can come up with something” and they’re partnering with an academic institution, and I think that gives them an ability to go at this in a stringent way with high discipline. And I think if anybody listening to this has a story they want to share, then you should definitely get in touch with them or you can reach out to me and I will get in touch with them for you. I’m on either Twitter or LinkedIn or in fact, Mastodon now, depending on which Mastodon you own. What they need us to hear from people who have experience and are willing to share their stories and they’re happy to keep them anonymous. Everything’s going to be aggregated. You don’t have to stick your neck out too much to do it.
Delaney: That’s it from the ISMG Security Report. The music is by Ithaca Audio. I’m Anna Delaney. Have a very Merry Christmas and until next time.