EU GDPR Used To Extort Ransomware Victims

This post is also available in: עברית (Hebrew)

The EU’s General Data Protection Regulation (GDPR) is being used by a new ransomware group to pressure victims into paying since the fine the victims would have to pay for a reported data breach will cost them more than the criminals are asking for.

The group is called “Ransomed” and was first spotted in August by the cybersecurity analyst Flashpoint. It has a Telegram channel and a “ransomed” domain name for a flagship website. The unique nature of the group comes from its use of GDPR to pressure victims into paying once it has carried out a data breach.

Flashpoint explains: “Ransomed is leveraging an extortion tactic that has not been observed before… This tactic marks a departure from typical extortionist operations by twisting protective laws against victims to justify their illegal attacks.”

Flashpoint adds that Ransomed’s strategy is probably to set ransom payment demands lower than the cost of incurring a fine for a data security violation to increase the chances of a victim paying up.

According to Cybernews, fines for GDPR infringements range from the low hundreds to the multi-million. This makes Ransomed’s choice of ‘negotiating’ tactics seem more logical than it first appears, and Flashpoint claims its disclosed demands from victims to date range from €50,000 to €200,000.

Another strange move by the ransomware group is their willingness to list two cryptocurrency wallets for Bitcoin payments, while typical threat actors never make their wallet addresses public.

Flashpoint states it is too early to say whether Ransomed, which they have linked to the embattled cybercriminal platform BreachForums, will prove to be anything like an advanced persistent threat.