勒索軟件 - 2020年最大威脅:它是如何演變及應如何應對此攻擊 (只提供英文版本)
日期 : 2021年1月19日
機構 : 泰雷茲(Thales)集團
Latest development of ransomware attacks
Ransomware continues to cause havoc at organisations of all sizes including enterprises, financial institutions and healthcare that are handling sensitive data. In fact, it has topped the security alerts and reports in 2020, ahead of business email compromise and unauthorised access, according to the figure released by Kroll in October 20201 . The prevailing approaches for mitigating ransomware attacks have been focusing on: Prevention, User awareness, User access rights, Detecting indicator of compromise, Backup and restore, Incident response2. These measures have been effective and necessary to defend against crypto-ransomware but not sufficient to thwart the latest “data extortion tactic” (also called “double extortion tactic”), which caused more severe damages to the victims in a succession of attacks.
What is “data extortion tactic3”?
When hackers are able to plant ransomware at the victims’ computers, they basically have taken over controls of the victims’ systems. Instead of just encrypting the files and then waiting for payment of ransom to release the decryption key, the hackers would also exfiltrate the data and threaten to disclose them in the wild, either as a further leverage to have the victim pay the ransom, or extort for more money from the victim. The implication to these victims is not just about data loss, but the more damaging consequences arising from legal implications of personal data breaches, reputational damage, leakage of sensitive business information, etc. Readers should take note that the mitigation strategy of restoring data from backup does not neutralise the threat completely, as the hackers can still post the stolen information on the Internet.
What should be done to mitigate the latest ransomware attack?
There is no doubt that Prevention, Detection, and Incident response are still important to prepare organisations to mitigate ransomware attacks. An extension of the measure is to implement “Security and Privacy by Design” that ensures the integration of privacy and data protection features at the design phase and then throughout the lifecycle. Here, organisations should implement a holistic data protection platform (i.e. not multitude of point-solutions), that allows security protection to be applied and maintained seamlessly with minimal interruption to users’ daily operations. Such a platform should encompass:
- Data discovery and classification:allows the organisations and their stakeholders to understand the “what” and “where” of their sensitive data, so that appropriate measures such as ownership, encryption, tokenisation, access control, removal, etc can be applied on the data in question;
- Data encryption and tokenisation:these are the two technical measures that are prominently mentioned under the General Data Protection Regulation (GDPR). Their use to protect sensitive data in financial applications (such as to protect Payment Card Industry (PCI) sensitive data) and healthcare (to prevent Personally Identifiable Information (PII) leakage) is well understood and widely practiced. They should be applied to all sensitive data, if not all data. This is the critical part of the proposed mitigation strategy for ransomware related attacks as once encrypted then it makes the encrypted data to be of no value even if it is to be made publicly available;
- Access control:fine-grained access should be set up for authorised users only, so that the right assets will only become available to the right person, at the right time, from the right location, and for the right purpose;
Getting help from the professional
It is important for enterprises and government agencies to recognise the sophistication, prevalence and impacts of ransomware attacks. These attackers are no longer the amateurs or script kiddies. Instead, they are usually well-funded cybercriminals with motives that can be financial gain and, in some case, with intentions to cause maximum reputational, legal and operational damage to the victims. Readers are recommended to obtain the latest knowledge on ransomware attacks and other cyber attacks from renowned sources such as Cyber Security Information Portal (www.cybersecurity.hk), HKCERT(www.hkcert.org), ISACA (www.isaca.org), SANS (www.sans.org), etc. Readers are also welcome to share further insights on the subject with the authors.
1Kroll "Kroll Ransomware Attack Trends – 2020 YTD", 6 October 2020,
2Welland Chu “Ransomware: from prevention to mitigation”, 27 June 2016
3Alex Scroxton, ComputerWeekly, "‘Name-and-shame’ ransomware attacks increasing in prevalence", 14 Jul 2020,