When cyber extortionists threaten to publish stolen data
Read how to handle the risk of a double extortion (ransomware and data theft) by cyber extortionists. React with a professionally prepared crisis management team.
Have you ever thought what a day costs your company when the IT can't be used? How many days can your company survive without IT? Probably only a few days. What happens if someone threatens to release your company or customer data? Do you know how to manage a crisis caused by a cyber extortion quickly and professionally?
Trend towards double extortions
The three main forms of cyber extortion are ransomware (encryption Trojans), extortion in connection with data theft and threats of a DDoS (distributed denial of service) attack.
Increasingly, the perpetrators use a combination of data encryption and data theft - a double extortion. If the victim refuses to pay a ransom to decrypt their data again, the cyber extortionist threatens to publish or sell the data stolen from the company. As a small "taste", the group of perpetrators then publishes parts of the stolen data. It also happens that the perpetrators contact customers of the victim company by phone, email or letter, saying that the company is not serious about protecting its customers' data.
With the proliferation of malware in the form of Ransomware as a Service, which enables double extortion, even amateurs can carry out such attacks. The attacker is not always interested in the obvious extortion. For a competitor or a state actor abroad, the business interruption and the reputation damage it causes may be more interesting.
Be cautious with payments if the extortionists threaten to publish data
For affected companies, the publication of data is usually the more significant reputational risk than the encryption of data (here, the business interruption is the problem). This can lead to paying a ransom to prevent or stop the release of data, despite usable data backups.
Be cautious here for a number of reasons:
- If certain data are at risk, the data protection authorities and, if applicable, the data subjects must be informed within a short period of time. Depending on the type of company (e.g. critical infrastructure), further institutions must be notified. A failure to do so not only jeopardises the reputation, but the fines can go far beyond the amount of the ransom requested. Paying a ransom without informing authorities about the data theft is very risky.
- The perpetrators do not always steal data, even if they claim to have done so.
- Despite assurances from the perpetrators, there is no guarantee that the stolen data will actually be deleted. Victims should assume that they will be passed on to other threat actors, sold or kept for a second or future blackmail attempt.
- The stolen data may have been kept by several actors and not safeguarded. Even if the extortionist deletes the data after a payment, other parties who had access to the data may have made copies to extort the victim in the future.
- The data may have been intentionally or mistakenly published before a victim can even respond to an extortion attempt.
- The perpetrator promises to provide a list of stolen data. Complete records of what was stolen may not be provided by the cyber extortionist, even if he explicitly promises to provide such lists after payment.
Cyber extortion groups such as Conti or Lockbit have repeatedly blackmailed victims in the past.
Professional reaction by the crisis management team is
The crisis management team and its performance during the crisis is vital on how the company gets through the crises and can limits the damage. Cyber crises, however, are some of the few crises that can actually threaten the existence of the company.
Crises are high-stress situations because much is at stake - for the company, but also for individual managers and the executives. This can lead to a certain paralysis or to wrong decisions - with serious consequences. For successful crisis management team work, among other things, the following are crucial:
- The real incident should not be the first "exercise" for the crisis management team.
- Have clear and pre-defined functions, roles and responsibilities of the individual crisis management team members.
- Understand that a cyber attack is not a purely technical problem that should be solved by the IT department, but strategically by the crisis management team (CMT)
- Get a quick overview of the different actors and how to deal with them
- Transparent internal and external communication with the balancing act between rapid communication (in order to maintain the power of interpretation) and time-consuming verification of information before it is communicated
- Efficient crisis management team meetings
- Attention to legal pitfalls, which are particularly complex in cyber cases
- Making decisions quickly and prioritising actions correctly
- Tracking who does what and when
- Quick access to external consulting expertise, even on weekends
Companies should call in professional external expertise in the event of cyber attacks. This applies not only to topics such as legal advice, crisis communication and forensics, but especially to crisis management and CMT support. The crisis response consultant helps to establish a professional and efficient crisis management team, to overcome silo thinking and acts as a cross-thematic project manager at the side of affected companies. He anticipates possible negative developments.
SmartRiskSolutions assists companies in various crisis situations in order to quickly regain the initiative and ability to act through a professional crisis management. This includes immediate advice to the crisis management team on how to work efficiently, but also in anticipating developments in the situation. Furthermore, SmartRiskSolutions has been supporting organisations in negotiations with extortionist perpetrators for years.