(by Francesco Pagano, Director of Aidr and Head of IT services at Ales spa and Scuderie del Quirinale) A finally organic legislation to regulate the processing of personal data. The GDPR, which came into force in May 2018, has undoubtedly led to an improvement in the overall cyber security landscape. Through the provision of specific obligations and, last but not least, a system of sanctions for those who do not adapt procedures and policies to the provisions, the new European regulation on data protection has obliged numerous subjects to adapt to those best practices that allow you to protect confidentiality data and user privacy.
In recent months, however, security experts have raised an alarm regarding a "side effect" of the sanctioning regime introduced with the GDPR. To exploit the legislation to their advantage are cyber pirates specialized in attacks on companies who normally used so-called crypto-ransomware for their operations. This type of malware is designed to act as an extortionate against the victim, by encrypting and encrypting all data and documents on infected computers.
Anyone who suffers an attack of this type finds himself in a paradoxical situation: all the data is present on his systems, but cannot access it without the cryptographic key that is in the possession of the pirates. The scheme, now adopted by numerous cyber criminals, then provides for the request for a "ransom" (sometimes a millionaire) to obtain the decryption key and restore the data taken "hostage". It goes without saying that the mechanism hides numerous pitfalls and that taking the path of paying the ransom is extremely risky. The news, in fact, has recorded numerous cases in which the cybercriminals have not provided the cryptographic key despite the payment or, even, have repeated the extortion. The correct reaction to an attack of this kind, as confirmed by the police forces and cyber security experts, involves reporting the data breach and restoring data through specialized tools or, in the absence of alternatives, system backups.
In recent months, however, hackers have changed their modus operandi to be able to put more pressure on their victims. In addition to encrypting the data, making it unavailable to the rightful owner, they exfiltrate a copy of all documents. In the document requesting the payment of the ransom, at this point, the threat of publishing all the data online is also aired, triggering a mechanism whereby the company victim of the attack would also risk suffering the (very high) penalties provided for by the GDPR.
A group like Sodinokibi launched this strategy in December 2019, closely followed by other gangs of cybercriminals specializing in ransomware attacks. One of these, called Maze, has even created a site on the Dark Web where stolen data is systematically published to victims who do not give in to blackmail. The invitation, in practice, is to pay the ransom in order to keep the incident in silence and avoid investigations on the data breach by the guarantor. It goes without saying that, even in this case, the fact that cyber criminals respect the agreements is far from guaranteed. There are many cases in which, despite the payment, the stolen information was nevertheless disclosed, putting the victims in an even more complicated situation in front of the authorities. The whole affair confirms the surprising creativity of the cyber pirates and, at the same time, how the line to counter their activity can only pass from a rigorous and punctual execution of the procedures. Any “shortcut” in fact risks turning into a real disaster.