In early January, the FBI warned businesses about Maze ransomware, which does more than just encrypt data. It steals copies of company data and then encrypts the company’s systems and networks. If the victim does not pay the ransom, the hacker posts the company’s name on a public website. If the company is not publicly shamed into paying and continues to ignore ransom demands, the criminal dumps the data on the internet. Healthcare providers were an early focus of attacks, but law firms are now in the crosshairs. Several law firms have been hit so far this month.
Law firms make for an interesting target. First, they have a treasure trove of sensitive client and firm data. Second, small and medium sized firms are less likely to have more sophisticated security measures making them an easier target, especially for malicious email attacks. Third, because client trust is central to a law firm’s success, criminals may see law firms as more likely to pay a ransom to avoid having its clients’ sensitive data released on the internet.
According to the FBI, Maze ransomware uses multiple attack vectors including malicious emails sent in bulk often impersonating government agencies and well-known security vendors. The hackers have been known to ask for two ransom payments: one to decrypt the data and the other to destroy the stolen data.
Oh, yeah, and once payment is made, the victim will just have to trust that the criminal actually destroyed the very valuable data and that he would not hit the victim up again for another payment in the future. I doubt that criminals are offering a “certificate of deletion” or some enforceable guarantee in return for the payment.
One other interesting aspect of Maze ransomware is that it eliminates a common argument that ransomware does not cause a data breach and, thus, does not require reporting or notification. In fact, many companies never report ransomware incidents for this reason. While that argument may work in jurisdictions with weaker data breach laws, Maze ransomware’s exfiltration of files destroys that argument entirely. (Note that for HIPAA covered entities and under some state laws, traditional ransomware triggers breach reporting and notification obligations regardless of exfiltration).
So, not only is Maze ransomware publicly shaming companies into paying ransoms, in a strange twist, it also is forcing companies to comply with applicable data breach laws.
That’s not it for disturbing ransomware news. Earlier today, I read about an incredibly troubling variation on ransomware. Apparently, a new ransomware strain requires photographs of women’s bare body parts to obtain a decryption key. Despicable.
More than ever, we need to focus on prevention and detection. Some effective strategies include using multi-factor authentication on anything connected to the network, having effective backups and monitoring systems, and training employees on how to identify and avoid these attacks.
Criminals evolve. We must too.