Implementation of Act 25 in Quebec

Implementation of Act 25 in Quebec: welcome to the hacking jungle and the world of quadruple extortion

One of the paradoxes of cybersecurity is that hackers love to operate in places where there are laws governing cybersecurity. The stricter the laws, the happier the hackers are. Quebec will be no exception with the implementation of Act 25 on the protection of personal information.

In this article, we will see what to expect (hackers' reaction) following the implementation of Act 25 on the protection of personal information in Quebec.

Why is the implementation of a new cybersecurity law a boon by hackers?

Hackers are constantly looking for leverage to increase their chances of getting paid when they infect a network with ransomware. The law is one of the ways they especially like to do this because organizations fear legal penalties. Some will prefer to pay the hacker a ransom rather than face the law.

Phishing attempts, new charlatans and outlandish intrusions

Organizations will receive phishing emails claiming that personal information in their possession has been stolen or exfiltrated. The perpetrators of these malicious activities will exaggerate the amount of exfiltrated data and threaten to notify the government if the victim pays a ransom. Deterrent? Understandably, no one likes dealing with the government!

Solution: Never give in to such blackmail. Ask the hacker to provide you with proof of ownership of your data and you will see that he will quickly disappear.

Entering the world of quadruple ransomware extortion

Hackers distributing ransomware must be rubbing their hands together because they just got a 4th string to their bow in Quebec with Act 25 (quadruple extortion).

1st extortion attempt: an organization victim of ransomware has no backups that can be restored. The hacker demands a ransom payment to allow the organization to access the encrypted data. Some organizations pay the ransom to avoid prolonged or total downtime.
2nd extortion attempt: the victim organization refuses to pay the ransom (for various reasons) and the hacker threatens to publish the encrypted data in order to increase the pressure level on the victim. Some victim organizations give in under pressure out of shame or to avoid public exposure of the hacking.
3rd extortion attempt: If after the extortion attempt, the victim still does not give in, the hacker contacts the real owners of the data (e.g. partners of the victim organization or citizens whose data has been stolen) directly and asks them to make a payment in order to avoid having their data published.
4th extortion attempt: if these previous attempts fail, the hacker threatens to contact the government to report the incident. This is a deterrent and some organizations may give in to the pressure.

Solution: again, some hackers will claim to have access to your data when this is not the case. You should always ask the hacker to prove that he has your data. Ask him to provide you with at least 3 files containing your data and remain adamant. If he's bluffing, you'll know it quickly.

Of course, it is never a good idea to pay a ransom because the hacker can come back at any time. The best thing to do is to report the incident to the provincial or federal authorities.

How to minimize the risk of being hacked?

Here are our top recommendations for minimizing the risk of getting hacked:
Educate your users about cybersecurity risks
Strengthen your network security (strong passwords, MFA authentication, server hardening, network segmentation, etc.)
Deploy intrusion detection (IDS/IPS/NDR) and endpoint protection (antivirus, EDR) technologies
Manage your network security vulnerabilities
Monitor your network security 24/7 to quickly identify malicious activity targeting you and block it from becoming an incident.

How can Streamscan help you?

Cyber attacks are exploding all the time. Without continuous security monitoring, you have no visibility into what attacks are targeting you. You can't protect yourself from what you can't see.

Let us put our eyes on your network. Join our MDR managed monitoring platform powered by our CDS cyber threat detection technology and keep yourself safe from cyberattacks.