Law 25 in Quebec: will it make cyberattacks worse?

Cybercriminals are looking for any argument to get you to pay the ransoms. Remember to never pay a ransom . But above all, avoid asking yourself this question by adequately protecting personal data.

Cybercriminals are organized like businesses. Recruitment, training, team involvement, support and above all, strategy and business model.

Law 25, with its penalties, provides additional arguments for them. Some IT providers are using the regulatory change to sell solutions that are not always useful for protecting personal data (firewalls, antivirus, etc.). Imagine the opportunity for cybercriminals: steal your personal data, then threaten to publish it, offering you a choice: pay a small ransom or end up in court with a large fine?

Here’s a fictional interview I could have with Nyx Cipher, the leader of a cybercriminal organization about this.

Eponine: You are an international organization, how does the rising cost of living impact your operations?

Nyx Cipher: This is major for us, the ransom payment rate is plummeting. Our revenues are down and our teams are asking for raises. In addition, people have good backups now, and no longer want to pay when their operations are held hostage. And there’s a lot of competition from smaller players, it’s quite easy and very profitable to deploy ransomware.

Eponine: The drop in ransom payments is also linked to the increase in the level of preparation of companies?

Nyx Cipher: Yes and no, it’s true that many companies implement data backup strategies, but with double extortion, usually we get payment. The problem is that some companies just don’t want to pay, the theft of data and the blocking of their operations does not seem to be a problem for them . We take the time to hack their system, it takes weeks, but in the end they don’t want to pay.

Eponine: Tell me a little more about this double extortion

Nyx Cipher: It’s simple, before encrypting and destroying their data, we copy as much of it as possible on our servers. So, in addition to blocking the systems we can threaten to sell the data on the Dark Web or communicate it. It works well in general, especially when it comes to health or sensitive data about people.

In fact, it is long and complicated to encrypt all of our victims’ data. So, when we know there are backups, we don’t even do it anymore. We use intimidation techniques which are more effective in obtaining prompt payments.

Eponine: Yes, but there is a problem of trust, you are cybercriminals, even if I pay a ransom, I have no guarantee that you will not publish my data.

Nyx Cipher: It’s true that there are dishonest people in the profession, but we work hard to establish trust. Cybercrime is part of the global economic ecosystem now, in 2023 we will represent 8 trillion dollars. We are the third largest economy after the United States and China. It’s illegal, but it’s a major contribution, we employ people all over the world.

Eponine: So for you, ensure your victims trust you, it’s important?

Nyx Cipher: In my business model, for you to pay the ransom, you have to trust that I will not share your data. We are currently working on it. We have robust processes in place, but few people trust us. This is where we could rely on regulations like GDPR or Law 25 in Quebec.

Eponine: How can these laws, which serve to better protect personal data, help a cybercriminal group like yours?

Nyx Cipher: It’s quite simple, small businesses are afraid and don’t understand what to do. We have studied these laws. Our model is to offer not to share data, in return for a payment lower than the Court sanctions. Many of these companies pay because they have no other option. They don’t have the expertise or the time to take care of it. Additionally, they rarely have backups, so our traditional double extortion approach works very well. I am impatiently awaiting the arrival of the first fines in Quebec.

Eponine: What would be your worst scenario in this business model?

Nyx Cipher: There are two things that can go wrong for us as cybercriminals. First, that companies adequately protect data. If I can’t easily access the data, because their passwords are strong , there is double authentication , and everything is up to date , it becomes difficult and less profitable. Then, with the data retention requirements, a problem would be that companies decide to have less personal data in their systems, the fines would be lower and it becomes less interesting for us.

But I’m confident, people are naive, they think it only happens to other people. By not taking basic precautions, it’s very easy for my teams!

Don’t be their next victim. It’s easy to protect data when you know how. Start now with our program to comply with Law 25 .

Image by Russell Clark from Pixabay