Brazil lives a ransomware attack trigger, digital threat that prevents access to information stored in a system by scrambling the data and demanding a payment to unlock it.
The rescue virus attacks, as it is also known, reached a record in the first half of 2021 worldwide. Brazil is the 5th biggest target of this threat, with 9 million attempted attacks, according to a report by the cybersecurity company SonicWall.
At the heart of this are people’s personal, financial and health data, which raises concerns about privacy and possible scams.
According to experts heard by g1, Brazil still needs to mature its security and investigation protocols for these cases – which often involve international digital gangs.
While attacks are rife, information released by victim companies is sparse – they rarely confirm that they have been attacked by ransomware.
See below questions and answers about this scenario:
- How does the company know it was a victim?
- Do companies need to make any notifications about the attack?
- How do you know if the data has been leaked or not?
- Who investigates all this?
- Should the data protection authority punish companies that are victims of ransomware?
- What to do to protect yourself?
When there is a ransomware type attack, the company’s operations usually stop. This is because the virus “locks” system information and prevents access to it.
Criminals then demand payment of a ransom to deliver a password that unlocks the data.
That’s what happened to JBS, the world’s largest meat processor, the target of an attack of this type that disrupted its operations in Australia, Canada and the United States. The company said it had paid $11 million in ransom to the hackers.
There are also other forms of extortion:
Extortion after a ransomware attack — Photo: Daniel Ivanaskas/Arte g1
2. Do companies need to make any notifications about the attack?
The General Data Protection Law (LGPD), which imposed rules on the use of personal data of Brazilians, don’t make it clear.
She points out that companies must notify their customers and the National Data Protection Authority (ANPD) about “the occurrence of a security incident that may cause relevant risk or damage to the holders”.
The law does not clearly say who is responsible for this assessment, nor what characterizes “relevant risk or damage”. Today, the analysis is carried out by the company that was the victim.
According to expert in digital law Patricia Peck, partner at Peck Advogados, if the company determines that the hacker only “locked” the data within the organization’s own server and did not copy information to external environments, she would not need to notify anyone – neither the customers nor the ANPD.
For her, this scenario is not ideal. The lawyer proposes a debate on ways to attest to the safety of the public after an attack.
“Is a company’s own statement enough to restore confidence? If the company had a seal there, a technical note about it would bring peace of mind to everyone, including the organization itself,” he says.
Paulo Rená, law professor at UniCEUB and researcher at the Digital Culture and Democracy group, defends that companies should immediately communicate to ANPD and the people who had their data affected.
“Normally, companies have a pattern of avoiding referring to the problem, avoiding assuming that the problem happened so as not to reduce their credibility with their customers. But the LGPD brings another logic, that transparency is a commitment”, he says.
In early September, the g1 asked ANPD what it considers “relevant risk or damage” and what its procedures are for evaluating ransomware cases, but didn’t get feedback until the last update of this report.
3. Many companies understand that there is no harm in claiming that their databases are “healthy”. How do they know if the data has been leaked or not?
In the digital world, it’s hard not to leave a trail, although a cybercriminal’s intention is to be as discreet as possible.
According to Daniel Bortolazo, systems engineering manager at the cybersecurity company Palo Alto Networks, databases are often very large and, if a hacker transfers the information, the company may detect a spike in network usage. When there is no such sign, it is a sign that there was no leakage.
There are also services provided by specialized companies that scan the internet and the deep web in search of leaked data.
According to Eduardo Batista, a partner at the consulting and auditing firm PwC, the first step in analyzing a company victim of a cyber attack is to preserve the affected environment in order to have a kind of photograph that helps identify vulnerabilities that may have been exploited.
After diagnosing how the attack was carried out, the audit checks records of actions taken on the system.
The history can tell if there was a data transfer, if the transfer volume was large and if the cybercriminals took another action to remain with access to the system, for example.
To say that the bases are “healthy”, companies compare their data with a backup and determine if the information has changed.
“When the company claims that databases were not accessed, it is because the records present facts and evidence that prove that that incident did not reach the databases. Otherwise, we cannot make that statement,” said Batista.
4. Who investigates all this?
At companies that suffer ransomware attacks are victims of the crime of extortion and should go to the police, according to the experts heard by g1. ANPD, in turn, must investigate possible leaks and damages to citizens.
“The company can file the complaint at an electronic crime station. This could escalate to an investigation by the Federal Police, if gang activity that attacks on an interstate or international level is demonstrated”, highlights Patricia.
These investigations in Brazil can improve, according to the lawyer. For her, “we are not prepared and able to combat this type of threat”, which often requires international cooperation to catch criminals.
Ideally, for the experts interviewed, there would be cooperation between several national bodies with different attributions to combat the problem.
According to lawyer Paulo Rená, ANPD can investigate cases of ransomware attacks together with the Public Ministry.
“We cannot anticipate the dynamics, in practice, for cases of incidents, but, without a doubt, there are attributions that add up, they are not necessarily concurrent”, he explains.
Daniel Bortolazo, from Palo Alto Networks, points out that some of the digital gangs sell ransomware as a service, renting the virus to other hackers to do the extortion, usually charged in cryptocurrencies.
This scenario makes it difficult to contain the threat, which has gained many “arms” to attack around the world.
Claudio Baumann, director general of the provider Akamai in Latin America, says that cryptocurrencies are not related to criminal activity per se, but allowed cybercriminals to work on bolder actions and ask for higher ransoms.
In one of the recent and emblematic cases, JBS was the target of an attack and had to stop some of its operations in Australia, Canada and the United States. The FBI has been called in to investigate this incident and pointed out that the group REvil (aka Sodinokibi) was responsible.
Most of its members are believed to reside in Russia or in countries that were part of the former Soviet Union, and US authorities have yet to capture them.
The presidents of the United States and Russia discussed the issue of digital security at the 1st meeting of authorities – and the US has already signaled that it will pressure the European country to fight the digital gangs that operate there.
- Central Bank of China declares all cryptocurrency transactions illegal
- US impose sanction against cryptocurrency broker used by hackers
Understand more about ransomware:
VIDEO: Ransomware – understand how viruses are used in extortion
5. Should the data protection authority punish companies that are victims of ransomware?
ANPD can punish companies that were victims of ransomware, had their data stolen and then leaked by criminals. This because the law says companies must follow minimum technical security measures. The problem is that this standard has not yet been defined..
Without these definitions on the part of the authority, it would be difficult to punish any company on the grounds that it did not comply with basic security requirements.
“This is not just for the private sector, it applies to the public sector as well. If we go to public websites today, will they have a secure password standard?”, asks lawyer Patricia Peck.
The law provides that companies are subject to fines of up to 2% of their billing, limited to R$ 50 million per infringement – the amount is not used to indemnify customers and goes to a fund that finances projects aimed at repairing damage to the consumer, environment, property and others.
Sanctions can also involve warning, blocking of personal data to which the infringement refers and prohibition of the company to carry out activities related to data processing.
- Failure to comply with the General Data Protection Law can lead to penalties of up to R$ 50 million
However, the authority’s role will be “educational”, at least for the next few months, precisely because the authority has not yet regulated several parts of the law.
There is also the fact that ANPD has a relatively small team, with 36 positions, which should not have a proactive inspection role.
According to Rená, in addition to the reduced team, another factor that restricts ANPD’s activities is the fact that it is not an agency with its own budget.
“She is in the Executive power structure, so this also ends up limiting it a little. It is not a regulatory agency with the freedom of Anatel or Aneel”, he says.
6. What to do to protect yourself?
According to Claudio Baumann, from Akamai, companies need adopt a security policy focused on incident prevention. The initiative involves training for employees to know how to protect themselves and the identification of all data controlled by the company.
“Since security is a process, the important thing is to get started. It is not overnight that a company will be protected, but it is important to start, understand what are the points of vulnerability and keep evolving in that”, he says.
Daniel Bortolazo, from Palo Alto Networks, highlighted the importance of companies create an action plan and simulate cases like ransomware, to be prepared at the moment of the real attack.
There are no completely secure and attack-proof systems, but there are measures that can be taken to mitigate risks, whether on private devices or within companies.
Tips for people and companies:
- keep systems and programs up to date – attacks exploit vulnerabilities that are being discovered and fixed;
- use two-factor authentication – it makes it harder for hackers to access your accounts
- have data backed up;
- beware of fake emails and websites – phishing, when a criminal tries to deceive a person with a convincing message, is one of the most common gateways for hackers;
- have an action plan – have a step-by-step guide on how to act in cyber attack scenarios.