When it comes to ransomware attacks, some data is more valuable to ransomware groups than others. A new study from Rapid7, Weaknesses: Ransomware Data Disclosure Trendsprovides information about what data ransomware groups value and how they use data to exert pressure.
Double extortion attacks have increased in recent years. Traditional ransomware attacks encrypt data on attacked systems to extort money from businesses and individuals. The increase in countermeasures, including the use of backups, has reduced the effectiveness of traditional ransomware attacks.
If data backups are available, companies could use them to restore data without having to pay a ransom. Without additional leverage, ransomware groups would find themselves empty-handed after the attack.
Double extortion attacks combine the encryption step with another step, which occurs before the data is encrypted. Groups analyze files and documents on the attacked network to steal data. Data is still held hostage, as it is encrypted in the second stage, but stolen data can be used as leverage in ransomware negotiations. Ransomware groups can threaten to leak the data to the public or sell it to interested parties. If the negotiations fail, the data can be sold on the dark web.
Ransomware studies are frequently published. We’ve covered two here on Ghacks in the last two months alone. The first confirms that ransomware attacks and ransom payments are increasing. The second, that the ransom payment is marginal compared to the overall costs of ransomware attacks.
Disclosure of ransomware data
Rapid7 analyzed 161 data disclosures between April 2020 and February 2022. Many ransomware attacks occur over the course of days, weeks, or even months. The time frame gives attackers time to collect and exfiltrate data from compromised networks before performing encryption tasks.
Some data is more valuable to ransomware groups than others. Data that can be leveraged, such as patient records, financial documents, or intellectual property files, is on average more valuable than other types of data that attackers can uncover in attacks.
The extracted data is used in various ways by ransomware groups. Besides the obvious uses for gaining even deeper access to the organization’s network, the exfiltrated data can also be leveraged, or sold on dark web marketplaces if ransomware negotiations fail.
The extra time attackers spend on a network gives organizations the ability to detect the compromise before the data is fully encrypted.
Ransomware data disclosures occur in two stages:
- Step 1: A sample of the stolen data is presented to the organization; this is done to enhance credibility and as leverage, as further data disclosures may prove detrimental to the organization. The data is only provided to the organization as a rule, but may also be published publicly on the Internet.
- Step 2: The data is sold or published, if negotiations with the victim were unsuccessful.
Rapid7 notes in the analysis that the data disclosures are indicators of general ransomware trends. Company researchers were able to determine the following based on the analysis of the 161 data disclosures:
- The most common types of data attackers disclosed
- How data disclosures differ between industries and threat actor groups.
- Current ransomware market share among threat actors.
Datasets in Ransomware Data Disclosures
Not all data is equally important to organizations, and data disclosure can vary widely across industries. Customer and patient data in financial services attacks, financial and accounting information in healthcare and pharmaceutical attacks, and personal and HR information of employees in financial services were the most considered.
Notably, intellectual property data was used in 43% of pharmaceutical disclosures. Across all industries, financial and accounting information was used the most, followed by customer and patient data, and employee PII and HR data.
Customer data disclosures have dominated the financial services industry, tracking employee PII and HR data, and internal financial and accounting records. The focus on customer data suggests that customer data is often more valuable to ransomware groups than other types of data. Rapid7 suggests that the threat of customer data disclosure is often powerful, as it could affect the public perception of the organization.
Internal financial and accounting records were disclosed most often in the healthcare and pharmaceutical sectors, not the financial sector. Customer and patient data was disclosed in more than 50% of cases, but not as much as in financial services.
The high frequency with which customer and patient data appears in these disclosures suggests that attackers are aiming to exert greater pressure on victims with: a) the more serious legal and regulatory consequences of patient data breaches for hospitals and other healthcare providers and; b) the greater utility of more detailed and granular patient datasets to criminals for identity theft and other forms of fraud.
Disclosures from the pharmaceutical sector had a high frequency of IP records. Pharmaceutical companies “are highly dependent on large investments in intellectual property”, which makes this leaked data valuable to threat actors. Intellectual property disclosures were only included in 12% of disclosures across all samples.
Trends in threat actor groups
Threat actor groups use different strategies when it comes to double extortion attacks. Some of the differences can be explained by the data the attackers discovered during the attacks. If a certain type of data is not found or cannot be exfiltrated, other data may have been used as leverage instead.
The four main groups in the analysis used different types of data in the disclosures. Financial and account data was 100% disclosed by the Darkside group, but only 30% of the time by CI0p. Similarly, Darkside disclosed sales and marketing, employee Pii and HR data 67% of the time, while the other groups disclosed only 27% or 30% of the time.
Rapid7 recommendations and suggestions
More and more organizations are using backups to thwart traditional ransomware attacks. Saves help, but they aren’t 100% effective on their own when it comes to double extortion attacks. To counter double-distortion attacks, Rapdi7 suggests that organizations use file encryption, segment corporate networks, and render “all files unreadable to unauthorized eyes.”
The report can help organizations determine high-priority assets to better protect against potential ransomware attacks.
Organizations, finally, can also use the findings of the report in preparations to “anticipate the types of
files are most likely to appear”.
Now You: How do you protect your systems against ransomware attacks? (Going through Rapdi7)