AP: More ransomware attacks than known so far

"Ransomware attacks are a dangerous trend, they make serious victims," explained AP Chairman Aleid Wolfsen. "Figures from the AP now show that this danger is even greater than thought. That should be a warning to everyone. Organizations in the Netherlands: don't become the next victim, make sure you have your digital security in order."

Millions of data 

In a ransomware attack, hackers digitally break into an organization. Using special software, they "hostage" files full of privacy-sensitive data. The hackers demand a ransom to make the files accessible again. They may also threaten to sell or even disclose the encrypted data to other criminals.

The AP sees that cybercriminals sometimes set their sights on one specific company in a particular industry. But they also regularly attack IT vendors who manage data on behalf of a whole range of companies from a variety of sectors. If such an attack succeeds, the hackers thus hit numerous organizations in one fell swoop - and with it, ultimately, the many people whose personal data are held by all those organizations.

Wolfsen: "The scale of a ransomware attack quickly increases exponentially, the damage multiplies at lightning speed. Don't underestimate it." 

In fact, one specific ransomware hack last year affected more than 200 organizations at once, with data from a total of as many as 2.5 million people in the Netherlands.

Tips for organizations

Wolfsen: "As an organization, you can suffer substantial financial damage. If your systems are held hostage, you literally cannot work. And as an individual, your privacy-sensitive data may be out in the open. That is why the AP has prepared this ransomware report: to warn, and to give organizations tips on how to make themselves less vulnerable to cyber attacks."

Duty to report to AP 

One estimate so far was that there were more than 140 ransomware attacks in the Netherlands last year. This figure comes from other agencies dealing with the issue. That the AP counts more ransomware attacks may be due to its role as regulator of the legal duty to report data breaches.

Wolfsen: "A data breach is when something goes wrong so that personal data can end up with the wrong people. With a ransomware attack, that chance is of course considerable. An affected organization must then report such a leak to the AP. In contrast, it is not always mandatory to report such an incident to other authorities. This explains why the AP has relatively strong visibility into the number of ransomware attacks in the Netherlands."

Further insights 

For the ransomware report, the AP asked affected organizations to cooperate in further investigation. A total of 90 organizations were investigated. The ransomware attacks in question involved datasets totaling many millions of pieces of personal information, ranging from emails and phone numbers to passport copies, bank account numbers and passwords.

Other AP conclusions:

• Most organizations did not have the basic security of their systems in place, allowing the hackers to make their move. These mainly include lack of multi-factor authentication, poor password policies and failure to update software in a timely manner.
  Also, sensitive data is still regularly stored on a single server instead of on different networks. This accumulation makes organizations vulnerable to cyber attacks.

The AP recognizes the trend of "double extortion" in ransomware. Hackers not only make data inaccessible by locking it, they also increasingly threaten to sell or publish the data if it is not paid for quickly. Of the organizations the AP spoke to, nearly half reported experiencing this double extortion.

The vast majority of organizations (82 out of 90) state that they have not paid a ransom to hackers. The AP is against such payments: they perpetuate a criminal revenue model and, moreover, are no guarantee that, as an organization, you will actually get your encrypted data back.