When Ransomware Strikes, ‘Assume Data Breach’ Too

With ransomware attacks evolving to include additional fallout such as data breaches, even organizations that seemed well-prepared can fall victim, as described in an ArsTechnica post about the Credit Union National Association (CUNA). CUNA demonstrates serious commitment to protecting against ransomware, including staging a ransomware exercise with member credit unions. But a few months later CUNA experienced a business disruption caused by ransomware. As reported in the Security & Resilience Update for December 17, 2019, ransomware operators (specifically groups associated with MAZE and Sodinikibi/REvil) have adopted the model of actually releasing stolen data to coerce victims into paying; it was only a matter of time. Prior to this development, most ransomware breach notifications included the wishful thinking and naïve belief that ‘no personally identifiable information (PII) was breached’ in an effort to downplay the failure to properly maintain the confidentiality, integrity, and availability (CIA) of data they were entrusted. This is a belief that can no longer be subscribed to. Like the adage, ‘it’s not if you’ll experience a cyber attack, but when,’ it’s not ‘we don’t believe any PII was stolen,’ it’s, ‘we haven’t been threatened by the attackers to publicly release the data yet.’ While encrypted uncompromised backups are the best way to recover from a ransomware attack, encrypting the data in the first place and securely managing the decryption key is even better to confound the ability of ransomware actors to read any data they have stolen. Read the post at ArsTechnica

For more on ransomware actors’ attack strategies, visit KnowBe4’s post: Encryption Isn’t Your Only Ransomware Problem – There Are Some Other Nasty Issues