Ransomware attacks and data breaches seem to be continuously contending for the top positions in news feeds. But what's the difference between these cyber threats and which should you be most concerned about?
For a comprehensive breakdown of each type of cyberattack, read on.
What's the Difference Between Data Breaches and Ransomware Attacks?
During a ransomware attack, cybercriminals deploy malware (malicious software) into targeted computer systems to seize and encrypt sensitive data. A decryption key is only provided if the victim complies with the ransom payment.
The ransom demand is usually only payable in bitcoin or a similar cryptocurrency because activity on the decentralized payment network is very difficult to track.
During a data breach, cybercriminals aim to access and steal sensitive information. Examples of sensitive data include:
- Social security numbers.
- Credit Card details.
- Personal data.
- Phone numbers.
Access to any of the above information could lead to financial loss or identity theft.
The primary difference between the two cyber incidents is both the speed and degree of sensitive data compromise, where compromise is defined as the malicious use of sensitive data.
Usually, during a simple ransomware attack, sensitive data is not exposed to the public. It's encrypted and inaccessible to anyone without the description key.
The threat actors responsible for the attack have access to the decryption key, but they're unlikely to review the seized data because they're motivated by monetary gain and not divulging company secrets - time is better spent seeking new victims than thumbing through sensitive files.
Because ransomware campaigns are most profitable when attacks are executed at speed, the entire workflow is usually automated. Rather than manually managing each victim's unique decryption key, they're stored on separate command and control servers and automatically issued to victims when they pay their ransom.
If cybercriminals wanted to access each victim's encrypted files, they'd need to locate and utilize each unique decryption key. This arduous process wastes time and impedes profit margins so it's usually avoided.
But this convenient limitation is exploded during double extortion ransomware attacks. This is when a ransomware victim is threatened with having their seized data published on the dark web if payment is not made by the due date.
To motivate faster payments, sometimes cybercriminals instantly begin to precipitously publish a victim's seized data until the ransom is paid.
During a data breach, stolen sensitive data is intentionally accessed so that it can be compromised - usually by being sold on dark web forums.
But monetary gain isn't always the motivation behind data breaches. Hacktivists groups freely publish stolen data to expose entities that don't align with their personal agendas.
But lately, the line between data breaches and ransomware attacks has been severely narrowed. With the FBI aggressively pushing its messaging of never complying with ransom demands, cybercriminals have responded with an equally aggressive counterattack to convince victims to do otherwise.
This tender region is created when sensitive data is exfiltrated before it's encrypted with ransomware. Because this strategy has proven to be very effective, it's quickly becoming the standard feature of modern ransomware attacks.
Exfiltration doesn't only create a sense of urgency, it also arms cybercriminals for defamatory media attention.
Such an extortion sequence is characteristic of Maze ransomware. If a Maze ransomware victim fails to pay, a prepared press release is instantly distributed to media entities and shaming websites to publicize the successful cyber attack.
Publicly traded companies are more severely punished with the Maze ransomware threat actors also sending a detailed press release directly to the stock exchange listing the victim's stock.
Is a Ransomware Attack Classified as a Data Breach?
Because modern ransomware attacks are encroaching on data breach territory, data breach notification requirements for regulated industries need to be reevaluated.
There are many regulations that enforce data breach victims to notify all impacted parties and government agencies of each cyber incident.
Currently, all 50 American states, as well as international countries including the EU, China, Brazil, and India, have implemented data breach notification regulations, the two sternest being HIPAA and GDPR (in the EU).
The HIPAA (Health Insurance Portability and Accountability Act) privacy rule aims to protect patient health information from hackers by mitigating the potential of unauthorized access.
To enforce continued improvements in data security, regulated entities must comply with HIPAA's breach notification rule.
According to the U.S Department of Health and Human Services (HHS.gov) a notifiable breach is defined as:
"An impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information."
Under this definition, a ransomware attack would be classified as a notifiable data breach if private patient data was exfiltrated in addition to being encrypted.
If only operating systems were encrypted but no sensitive data was exfiltrated, the event would not be classified as a data breach, and therefore, would not require notification under HIPAA's notification rule.
Because ransomware attacks are increasing in complexity, clandestine exfiltration tactics will only improve. So it's much safer to assume that each ransomware attack was accompanied by data exfiltration.
Such a bold assumption, even if incorrect, will avoid a potentially hefty fine for non-compliance with the HIPAA notification rule.
Civil penalties for non-compliance range from $100 to $50,000 per violation with a Calendar Year Cap of $1,500,000.
Notification Requirements for Data Breaches and Ransomware Attacks
All cybersecurity regulations require data breach events to be communicated to relevant supervisory bodies as quickly as possible. Some reporting requirements differ on a state level depending on the likelihood of impacted individuals suffering sensitive data loss.
To avoid regulatory fines, strive to notify supervisory bodies of a breach within 24 hours, and not later than 72 hours after the breach. Such exemplary reporting practice should comply with most regulatory standards., including the GDPR.
Unless you’re absolutely confident that a ransomware attack was not accompanied with data exfiltration, all such events should be treated as data breaches and reported accordingly.
Is a Ransomware Attack Considered a Data Breach under GDPR?
The definition of a data breach by The International Commissioner's Office (ICO) is broader than that of the U.S Department of Health and Human Services. As a result, ransomware attacks and data breach events have a greater overlap.
According to the ICO, the following conditions constitute a data breach:
- Access by an unauthorized third party.
- Deliberate or accidental action (or inaction) by a controller or processor.
- Sending personal data to an incorrect recipient.
- Computing devices containing personal data being lost or stolen.
- Alteration of personal data without permission.
- Loss of availability of personal data.
Together, these conditions could classify every ransomware attack event as a data breach:
- If a multiple-extortion ransomware attack is executed (which can never be known for certain) sensitive data is also exfiltrated.
- Even if no exfiltration occurs, encryption causes loss of data availability.
- Some ransomware variants could cause unauthorized alteration of personal information.
Many organizations with a reliable backup strategy continue to assume that a breach notification is unnecessary if encrypted data is rapidly replaced with clean backups.
This would be an accurate assumption if personal data availability was the only condition of a data breach, but since the alteration of personal data and unauthorized access are also conditions under ICO, an efficient backup strategy may not negate a breach notification.
The final decision of whether or not a ransomware attack is deemed as reportable falls on your designated Data Protection Officer (DPO).
How to Prevent Ransomware Attacks and Data Breaches
Because the overlap between ransomware attacks and data breaches will only increase, they both require a complete cybersecurity incident response and prevention practices - disaster recovery plans and business continuity strategies alone will no longer suffice.
To prevent incidents from progressing to frustrating notification decisions, a security framework that minimizes the possibility of successful cybercrime should also be implemented.
Such a framework can be deployed in 5 phases.
1. Educate Staff
Humans will always be the weakest links in an information security program. Even with the most generous cybersecurity budget, a single interaction with an infected email could circumvent costly defenses, causing a data breach.
To prevent this, staff should be trained to identify popular attack vectors, namely phishing emails since they are still a popular choice amongst cybercriminals.
Phishing emails are getting difficult to detect. Some of the more convincing types claim to be from a law enforcement agency threatening repercussions if an intended action is not taken.
Others claim to be from healthcare authorities sharing urgent pandemic-related information.
This post can be used to train staff on the details of email phishing.
This post can be used to implement best email security practices.
Social media is another emerging attack vector that can be addressed with education. Staff should always log out of corporate accounts to avoid session hijacking and never click on links sent by inquiring 'customers.'
2. Keep Third-Party Software Updated
Third-party providers regularly issue security patches to amend exploitable vulnerabilities. These patches are usually available through the latest software updates.
Be sure to keep all software updated, especially antivirus software since updates will keep their monitoring engines aware of the latest cyber threats.
The Common Vulnerabilities & Exposures database should also be regularly referenced to discover vulnerabilities that haven't yet been addressed by impacted parties.
3. Implement an Attack Surface Monitoring Solution
An attack surface monitoring solution scans organization’s entire attack surface for vulnerabilities that could facilitate ransomware attacks and data breaches.
By identifying and remediating these exposures before they're exploited by cybercriminals, highly-regulated entities, such as healthcare providers, can minimize data breach possibilities and achieve astute regulatory compliance.
4. Manage Third-Party Security with Risk Assessments
Compromised third-party vendors account for more than 60% of data breach events. It's, therefore, imperative to continuously monitor the security postures of your entire vendor network.
Risk assessments should be regularly distributed to identify any deficiencies against relevant cybersecurity frameworks. For maximum efficacy, security ratings should also be referenced to verify the legitimacy of risk assessment responses and remediation efforts.
5. Tier All Third-Party Vendors
Vendor tiering categorizes vendors based on their level of security risk. This creates a more efficient distribution of risk management efforts so that the vendors with the highest likelihood of compromise are managed with greater attention.
Such an intelligent approach to Third-Party Risk Management (TPRM) greatly mitigates the potential of ransomware and data breach attacks occurring through the most complex attack surface - the third-party network.