Emerging Defense
Offensive Security

Latest Posts

Will Your Employer Pay the Ransom For Your Personal Data?


Extortion Is Back.

Ransomware is making a major comeback.  The rise of this simple extortion tactic can be attributed to a single sad truth: almost everyone pays the ransom. While desktop ransomware dominates the headlines today, its quiet and sinister cousin, mobile ransomware, is increasingly targeting organizations and individuals.

Most mobile ransomware attempts to trick users into paying a fictitious fine typically between $10 and $300.  The tactic is usually simple: pay or the attacker reports a made-up (and usually embarrassing) charge to authorities for prosecution.  Ransomeware authors are not bad businessmen, though. They tailor their simple attack (specifically, their prices) to what the market will bear.  This means while personal attacks may only be for a few hundred dollars attacks on corporations with much bigger vaults and operational imperatives will range in the tens of thousands.  

More employees are using personal devices for work that introduce high-profile vulnerabilities, like Stagefright and Pegasus.  As a result, it’s not hard to imagine a scenario where a personal data becomes collateral damage of mobile ransomware attacks targeted at large companies.  

Who is the Ransom Hurting Most?

For BYOD users, the damage of opening ransomware on a personal device could expand well beyond corporate data, encrypting their entire phone, including personal contacts, messages, and photos.  Moreover, expensive corporate ransoms are well beyond the reach of individuals to pay; their only recourse is to petition their employer to pay to get their personal data back.

For IT professionals,  2017 could be a year of employees, threatening the business into paying ransoms for personal data. If the business won’t pay they could be risking massive data breaches through their mobile ecosystem.

Jason Miller