Optimise Cyber Solutions’ Post

☢ To Pay or Not to Pay: That is the question ☢ Cyberattacks are increasingly common, the question of whether to pay ransomware demands is becoming more urgent and personal. Courts are pushing for the return of stolen data, but let’s be honest—hackers aren’t likely to comply. So, is it ethical to pay? My answer? It depends on the situation. Let me paint a picture... Imagine you're a small business owner, and your company gets hit by ransomware. You have no connections to the UK government, and hiring external recovery services is beyond your budget. If refusing to pay means losing your business, you might seriously consider giving in, even if it feels wrong. Yes, paying the ransom fuels the criminals and might invite future attacks. But when your livelihood is on the line, priorities can shift, and you might end up doing what you need to do to survive. Now, consider a different scenario: the organization under attack is linked to the UK government. In this case, paying the ransom might seem like a quick fix, and the cost could be manageable. But the consequences could be far-reaching. It could encourage cybercriminals to go after more government sectors, and that’s a risk we can’t afford to take. Plus, the government’s stance is clear—they don’t negotiate with criminals. Here, the right choice is to hold the line, even if it’s the harder one. Ultimately, whether to pay or not is a tough call, and what’s right can depend on where you’re standing. Would you Pay????

Ransomware criminals are escalating tactics in chilling new ways—and executives across industries should take note. Details are reported in the Venture Beat article linked below. Gist of the piece: 1) Christopher Budd, a director at the Threat Response Joint Task Force, advised that “One thing is clear: Attackers are looking not just at technical levers to pull but human levers…” 2) These include tactics such as “Posting sensitive data about executives’ family members. Making prank calls to law enforcement...Snitching on organizations that don’t pay. Scouring stolen data for evidence of enterprise or employee wrongdoing.” 3) “Ultimately, threat actors are “increasingly comfortable” leaking…extremely sensitive data such as medical records (including those of children), blood test data and even nude images.” 4) “Also…they are using phone calls and swatting — that is, making fake calls alleging violence or open shooters at a certain address. This has resulted in at least one death and serious injury.” 5) “In another shift, attackers are now not just locking up data or carrying out a denial of service attack, ‘They’re stealing the data and now they’re looking into it to see what they can find,’ said Budd. For instance, many claim they assess stolen data for evidence of illegal activity, regulatory noncompliance and financial misdoings or discrepancies.” 6) “(A)ttackers also turn the tables on target organizations by reporting them to police or regulatory bodies when they don’t pay up… ‘It may seem somewhat ironic that threat actors are weaponizing legislation to achieve their own illegal objectives,” (Sophos)X-Ops researchers write, “and the extent to which this tactic has been successful is unclear.” 7) “To make themselves appear grassroots or altruistic — and apply further pressure — some cybercriminals are also encouraging victims whose personally identifiable information…has been leaked to ‘partake in litigation’…attackers will name specific individuals and executives that they claim are ‘responsible for data leakage.’ Sophos X-Ops researchers point out that this can serve as a ‘lightning rod’ for blame; cause reputational damage; and ‘menace and intimidate’ leadership.” Dave’s take: The aggressive new tactics of cybercriminals should be on everyone’s radar screen. Who knew that cybergangs had started putting out press releases and giving detailed interviews to unleash reputational damage and criminal investigations in order to shake companies down? The fact that attackers might identify actual bad actors within an company to blackmail the organization really ought to emphasize the need not only for tighter cybersecurity, but also for more robust compliance measures to weed out such vulnerabilities in the first place. https://lnkd.in/gmkKQCQ6

Lehigh Valley Health Network agreed to pay a $65 million settlement after nude photos of patients surfaced on the dark web following a cybersecurity incident. As hackers penetrate American health-care firms with alarming regularity, the episode reveals how cyberthieves are exploiting uniquely sensitive data — with devastating human and financial consequences. Though medical information has long made health care providers a target for ransomware groups due to its private and sensitive nature, this settlement likely will result in increased attacks against the health care industry. Following a cybersecurity incident, Lehigh Valley elected not to pay the $5 million ransom to BlackCat/ALPHV — a highly pernicious ransomware group that was responsible for the MGM Casino and Resort breach. Though the decision whether to pay a ransom varies significantly in each incident, it generally comes down to a question of financial risk: Will paying the ransom offset the risk by more than the ransom amount? In the case of personally identifiable information, such as social security numbers, and protected health information, the answer is generally no. This is because a class action lawsuit is almost guaranteed where the number of individuals impacted is greater than 1,000 — and that is the case whether the ransom is paid or not. State laws and federal regulations require notifications to individuals, state attorneys general, and regulators in the event of a breach that affects a certain number of individuals. These breaches are publicly displayed on state attorneys general and regulators’ websites. Plaintiff’s law firms scape these sites, solicit class members, and file suit as quickly as possible — often using the same complaint over and over again. Data breach class action lawsuits rarely go to trial and often settle for several hundred thousand to several million dollars. As a result, paying a ransom is economically impractical when personal information or protected health information is impacted. (Note: This calculus changes significantly when trade secrets or confidential business information is involved). However — the Lehigh Valley settlement just changed this calculus. Now, ransomware actors are going to be on the hunt for .png, .jpeg, .mp4 and other image and video files stored on health care networks. If they find nude images or videos of patients, their bargaining chip exponentially increases in value. When compared with a $65 million settlement, a $5 million ransom looks much more appealing — and that is what the ransomware groups are counting on. Facing a cybersecurity incident? Reach out to Buchanan's team of experienced cyber lawyers: cyber@bipc.com. #cyber #cybersecurity #cyberlaw #ransomware Buchanan Ingersoll & Rooney PC barricade cyber solutions Kivu Consulting Inc IronGate Cybersecurity LLC Kroll Trend Micro Asceris Surefire Cyber Inc. AmTrust Financial Services, Inc. Coalition, Inc. Beazley Crum & Forster

#Ransomware decision making involves multiple variables, ranging from the purely financial to personal emotional impacts. Organizations are best armed if they have a plan and practice executing it.

CDK Global reportedly paid 25 million USD to resolve a #ransomware attack in July. In March, Change Healthcare had reportedly paid 22 million USD to Blackcat. The Sophos paper attached was widely cited since publication in April, and gives an overview of the rising cost of ransomware. From a law enforcement perspective, it is never a good idea to pay the ransomware. This encourages future attacks. The ransomware funds future attacks. And there is no way to ensure that the attackers will commit to returning the ransomed data, or not ask for more money. Companies still make the decision to pay after mulling the following considerations: 1- Is paying the ransomware illegal in the company's jurisdiction? It is not explicitly illegal in the US, but might be in other jurisdictions especially when related to acts of terrorism or foreign espionage. 2-What are the reputational and operational costs to the company if the data is lost or leaked? 3-Does the company have a comprehensive data backup plan and is the data sufficiently encrypted to safeguard against leaks, so that it doesn't need to pay the attackers? 4-Is it possible that someone on the inside is assisting the hackers, and could inform them in real time of the company's intentions and communications with law enforcement? 5- Has the company taken out a cyber insurance policy? Would the payout be sufficient? Will paying the ransom affect future premiums? #financialcrime #sanctions

🚨 Rhode Island's Health Benefits System Breached by Cybercriminals 🚨 Rhode Island's online health benefits platform, RIBridges, has suffered a significant cyberattack, leading to the exposure of personal data for potentially hundreds of thousands of residents. Key Details: Compromised Information: Personal data, including names, addresses, Social Security numbers, and banking details, may have been accessed. Affected Programs: Users of state assistance programs such as SNAP, Temporary Assistance for Needy Families, and healthcare services via HealthSource RI are among those impacted. System Shutdown: In response, the state has temporarily taken RIBridges offline, transitioning to paper applications to ensure continuity of services. State Response: Governor Daniel McKee has announced that affected individuals will receive notifications with guidance on safeguarding their data and bank accounts. This incident underscores the critical importance of robust cybersecurity measures in protecting sensitive personal information within state-run digital platforms. Read the full article here: https://lnkd.in/eAnkiJcw #CyberSecurity #DataBreach #RhodeIsland #HealthServices #DataProtection #InformationSecurity #TechNews #CyberAwareness

No company wants to be in a headline like this. One purpose of BreachBits is to provide the Hacker's Perspective to you, so you can avoid the collateral damage of a data breach. We provide this, in order to predict where breaches are most likely to occur and their impact to you - the way a hacker sees you. Using hacker tradecraft, we'll ethically and responsibly test & validate your security controls, tell you if you were successfully breached, and give you a risk score to action upon. There's no technology more accurate in doing so. It's also fully automated 🤖 If you can predict a breach, you can avoid a breach. 😎 https://lnkd.in/egvcSgQJ

To pay or not to pay? Here are some insights into how some organisations are responding to Ransomware.

"10 𝒃𝒊𝒍𝒍𝒊𝒐𝒏 𝒔𝒕𝒐𝒍𝒆𝒏 𝒑𝒂𝒔𝒔𝒘𝒐𝒓𝒅𝒔 𝒔𝒉𝒂𝒓𝒆𝒅 𝒐𝒏𝒍𝒊𝒏𝒆 𝒊𝒏 𝒓𝒆𝒄𝒐𝒓𝒅-𝒃𝒓𝒆𝒂𝒌𝒊𝒏𝒈 𝒍𝒆𝒂𝒌." Top headliner posted on yesterday’s edition of GarysGuide - Gary Su which caught my eye instantly. 9,948,575,739 leaked passwords to be exact, and this will continue to "contribute to a cascade of data breaches, financial frauds, and identity thefts." As we start scrambling to come up with new passwords (ones which we can hopefully remember) to replace potential leaked ones, that's one stark reminder why we really need to move forward to a password-less future. identi.ly #cybersecurity #dataprotection #passwordless #databreach #rockyou2024 https://lnkd.in/gDX-p8eK