Tattletale Ransomware Gangs Threaten to Reveal GDPR BreachesRepeat Shakedown Tactic: Victims Told to Pay Up or Else They'll Face Massive Fines
Money is a great inducement to innovation. That includes - maybe especially so - ransomware groups whose attempts to squeeze dollars from data lead to no end of novel technical and business techniques.
See Also: Threat Report: 2022 State of the Phish
Enter Ransomed, a group that only launched Aug. 15 but has already made a name for itself by extorting victims with this threat: Pay us a ransom to stay quiet, or we'll rat you out to your friendly neighborhood European privacy regulator. As a sweetener, the group tells victims that their ransom demand is only a fraction of the fines they'd pay for violating the EU's General Data Protection Regulation for the data breach.
The group claims it targets large organization, demanding ransoms of between $53,000 to $215,000, which is far below what it says their GDPR penalty is likely to be, threat intelligence firm Flashpoint reported.
Whether or not any victims have chosen to take GDPR compliance or other legal advice from these stress-inducers remains unclear.
The same goes for victims of groups that have previously named-dropped GDPR in their ransom notes or other shakedown communications. Since 2022, they have included post-Conti spinoff Alphv/BlackСat, joined this year by newcomers NoEscape and the Cloak extortion group, which has been tied to Good Day ransomware, reported threat intelligence firm Kela.
Like most ransomware groups, Alphv appears to prioritize U.S.-based targets, although the group has been mentioning the EU privacy regulation when listing European victims on its data leak site, "in most of the cases highlighting GDPR-related files in the leaked data," Kela reported.
NoEscape uses the same tactic when a ransomware victim chooses not to pay - it lists the victim on its blog and threatens to leak stolen data unless it receives a ransom.
"Think about the losses you will if the data is published, because in the documents that we have, there are thousands of documents of data that are subject to the GDPR law," read No Escape's threat to an Italy-based jewelry firm posted last month, Kela reported. "Lawsuits, proceedings and compensation will deal a crushing blow from which you will never recover!"
Under GDPR, the rules are clear: If an organization falls victim to an attack that may have exposed Europeans' personal identifiable information, they must report the breach to their regulator within 72 hours.
Criminal Promise: Pay for Secrecy
Ransomware groups promise secrecy instead, saying that if a victim quickly pays them a ransom, no one needs be the wiser. At least some victims seem to buy into this strategy, to try and hide the fact of the attack or breach. Perhaps some of them do so quickly and out of fear. This is precisely what criminals want, not least because the less law enforcement knows about their operations, the easier their future attacks will be.
What seems obvious from a remove might be less so in the heat of the moment. Fraudsters often seek psychological strategies that compel a victim, oftentimes by driving them to act without taking any time to think things through first.
In 2021, for example, Ragnar Locker started threatening victims who so much as thought about contacting police.
"If you will hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised data immediately," the group told victims in its ransom note (see: Ragnar Locker: 'Talk to Cops or Feds and We Leak Your Data').
In the cold light of day, this threat looks both counterproductive and absurd. Some ransomware groups might be technically astute, but they're not thought police.
Ragnar Locker's threat is a reminder that if you've been hit by ransomware, someone may be eavesdropping on email or any other IP-based communications that touch the corporate network. Accordingly, use back channels for communications when contacting law enforcement and ransomware response firms for advice. Ransomware-battling experts always recommend victims do reach out, not least because researchers may have found a nonpublic way to restore crypto-locked data without a victim having to buy a decryptor (see: Memo to Ransomware Victims: Seeking Help May Save You Money).
For any organization considering paying a ransom in return for a promise to keep an attack or breach quiet, remember the coverup is always worse than the crime. Also, while some organizations say they have paid a ransomware group in return for a promise to delete stolen data, there's no proof any group has ever done so. GDPR enforcers say such payments in no way reduce any liability for any underlying business shortcomings investigators might find that failed to prevent the breach.
As always with data breaches, the smart money gets spent ahead on defense and preparing and practicing rapid incident response capabilities. Anything less helps play into attackers' hands.