New Ransomware, New Attitudes
Characters in fiction usually have a dark foil as an antagonist. Superman and Bizarro, Frodo and Gollum, Jerry and Newman. But what about encryption? For as heroic as it is and the good it does, what happens when we come up against the dark side of encryption?
Yeah, ok, that sounds cheesy. It is, however, an insidious new type of ransomware out there in the cyberwild. A variant known as Nemty, researchers have discovered that it will encrypt a victim PC, using a tool of protection to instead lock down machines even more effectively than ordinary strains. While examination indicates that the code is still under development, and not yet complete for full distribution, this is not certain, and a more widespread use could be imminent. Either way, Nemty is quite the hassle even in an “immature” state, and is something to look out for.
This is even more important for organizations now that courts, according Babst Calland’s Molly Meacham, appear to be changing tack on the legal perspective towards cybersecurity incidents. In the past, plaintiffs would often have their cases dismissed for failing to meet a sufficient damage threshold, and companies that experienced breaches were not held responsible for damages. Meacham cites court cases like Dittman v. UPMC to highlight changing attitudes, however: cybercrime has become so prevalent that it is no longer realistic to categorize it as an unforeseeable risk to a business. It is very much foreseeable, which means organizations should expect it and are being told they have a legal duty to do so. Large companies in particular, “with the resources to do more, are expected to meet a higher, more sophisticated standard,” says Meacham.
The ways to reduce risk are the same as what we usually discuss here, so I won’t go too in-depth on those. As always, it basically comes down to the Who, What, When, Where, Why and How of the data an organization collects and stores. That is to say: whose data (and who has responsibility over it), what type of data it is, how long you’ve had it and when you’ll no longer need it, where is it currently stored, why do you need it, and how do you go about all these things? Courts these days seem to be examining whether or not a company took “reasonable steps” to keep personal data safe. Those who don’t risk mounting legal trouble and public repudiation.
Then again, 58% of CISOs tell Optiv Survey that they think the experience of a data breach makes them more attractive to potential employers down the line, so who even knows what anyone’s thinking.