Ransomware attacks remain among the most common attack methods. As recent analyses show, cyber gangs are increasingly threatening their victims with reporting violations of regulations such as the GDPR to supervisory authorities.
Researchers at the security provider Akamai have observed an increasing trend in this tactic over the past two years. As an example, the security vendor points to ransomware group Anubis. Its members reportedly focus primarily on industries with high compliance risks, such as healthcare. The notorious Ransomhub gang also allegedly employs this method, explicitly encouraging its partners to threaten hacked companies with regulatory penalties.
Consequences for companies
“This puts companies under a double pressure that is almost impossible to manage,” Klaus Hild, manager of solution engineering for enterprise at SailPoint, explained to CSO. They have to weigh the risk of paying ransoms against potentially ruinous penalties and reputational damage. “This ‘compliance extortion’ is no longer a theoretical threat — it has become standard practice for ransomware cartels,” Hild added.
Tim Berghof, security evangelist at G DATA, confirmed to CSO that while this approach is technically just an extension of the “industry-standard” double extortion, it can have massive consequences. “Even if a complaint turns out to be unfounded, official investigations generate attention, tie up resources, and potentially become public,” he said.
AI amplifies attacks
Hild points to another problem: “AI-powered tools dramatically accelerate these attacks. Criminals can now screen stolen documents for ‘material’ compliance violations within hours of a data breach — faster and more accurately than many companies can audit their own systems.”
The SailPoint specialist explains: “They create detailed, legally sound complaints for authorities and set tight deadlines. With new regulations like DORA in the EU and stricter SEC reporting requirements, the arsenal of these extortionists is constantly growing.”
Berghoff summarizes: “The question remains which has the less severe consequences for companies: a self-report or an anonymous report to the relevant authority by a group of criminals. Since there is still a great deal of uncertainty surrounding compliance in some areas, threats involving authorities potentially fall on fertile ground.”