The EU’s General Data Protection Regulation (GDPR) is being leveraged by a new ransomware group to pressure victims into paying up. This is apparently because the fine they stand to incur for a reported data breach will cost them more than the criminals are asking for.
Appropriately called Ransomed, the group was first spotted by cybersecurity analyst and blogger Flashpoint on August 15th. It comes complete with the usual dedicated Telegram channel and also sports a “ransomed” domain name for what appears to be a flagship website.
What isn’t usual about Ransomed is its novel use of GDPR to pressure victims into paying up once it has carried out a data breach.
“Ransomed is leveraging an extortion tactic that has not been observed before — according to communications from the group, they use data protection laws like the EU’s GDPR to threaten victims with fines if they do not pay the ransom,” said Flashpoint. “This tactic marks a departure from typical extortionist operations by twisting protective laws against victims to justify their illegal attacks.”
Flashpoint adds that it believes Ransomed’s strategy is probably to set ransom payment demands lower than the cost of incurring a fine for a data security violation to increase the chances of a victim paying up.
If this is the case, it will prove an unwelcome development for legislators keen to protect the public’s data by imposing strict requirements on companies entrusted with protecting it.
Fines for GDPR infringements range from the low hundreds to the multi-millions — Meta was slapped with a record-breaking $1.3 billion penalty in May, although, as it turns out, most, if not all, of that money will stay in Ireland, where the company’s EU operations are headquartered.
As such, Ransomed’s choice of ‘negotiating’ tactics may not seem as kooky-crazy as it first appears: Flashpoint says its disclosed demands from victims to date range from €50,000 ($55,000) to €200,000.
Another departure noted by Flashpoint is Ransomed’s willingness to list two cryptocurrency wallets for Bitcoin payments.
“Typically, threat actors do not make their wallet addresses public, instead sharing them directly with victims via a ransom note or negotiations portal,” it said. “These unconventional choices have set Ransomed apart from other ransomware operations, although it is still unproven if their tactics will be successful.”
Indeed, Flashpoint believes it is too early to say whether Ransomed, which it has linked to the embattled cybercriminal platform BreachForums, will prove to be anything like an advanced persistent threat.
“On one victim page, a screenshot was included to prove that the company had been compromised,” said Flashpoint. “However, other than the threat actor’s claim, there is no evidence that the listed company was compromised. It has not been confirmed that the threat actor’s screenshot and claims are reliable.”
More from Cybernews:
Subscribe to our newsletter