The data theft and name-and-shame tactics initiated by Maze in November 2019 and subsequently adopted by multiple other groups have blurred the line between ransomware attack and data breach.
The most attractive targets for this type of attack are the organizations that would suffer the most harm from their data being exposed as they are perceived to be the most likely to pay to prevent exposure. Consequently, organizations in the legal, healthcare and financial sectors have been frequently targeted.
But just how common are encryption+exfiltration attacks, and what is the probability that an organization which has had its data encrypted will also have had it stolen?
The numbers
Between January 1st and June 30th, 2020, ID Ransomware received 100,001 submissions relating to attacks by the ransomware groups that target companies and public sector organizations.
Of those submissions, 11,642, just over eleven percent, related to attacks by the groups that overtly steal data.
Why this matters
Exfiltration+encryption attacks combine the disruption of a ransomware incident with the long term impact of a data breach.
In addition to the costs associated with business interruption and recovery, organizations may also face regulatory penalties, reputational harm, legal actions, see their share price affected and experience a myriad of other significant impacts such as the loss of intellectual property or the disclosure of competitive information.
Further, exfiltration+encryption incidents create a path for future attacks and other criminal activity. The stolen information can be used to spear phish victim organizations’ clients and business partners or be used to commit other forms of fraud, such as business email compromise (BEC). In other words, one crime can lead to many.
What this means for the US public sector
In 2019, at least 966 government entities, educational establishments and healthcare providers were impacted by ransomware but, because groups did not start overtly stealing data until November, only one of those entities had data exfiltrated and published: the City of Pensacola.
During the course of this year, at least nine other groups have also started to exfiltrate data and, consequently, there is now a much greater risk that data will be stolen during ransomware incidents.
If 966 entities are again impacted in 2020, it is likely that 106 of them, eleven percent, will have data stolen and published. This is probably a best-case scenario as the groups most likely to attack public sector entities are those which overtly steal data.
This forecast is supported by data from Q1 and Q2: of the sixty federal, state and municipal entities that were impacted by ransomware, five, or eight percent, had data stolen. Not all the groups which now exfiltrate data had started to do so at the start Q1 and, consequently, this percentage is lower than it otherwise would have been.
The leaking of public entities’ data can have extremely serious consequences. For example, the exposure of a police department’s information could potentially compromise ongoing investigations and prosecutions or put officers at risk. Similarly, data theft from private companies in the Defense Industrial Base (DIB) sector could present a risk to national security or the safety of personnel.
There have already been a number of successful exfiltration+encryption attacks this year on both police departments and companies in the DIB sector.
Speedier and more accurate disclosure is critical
“Public personal data has not been impacted.” — the City of Torrance
“The initial assessment shows so financial or personal information has been accessed or compromised.” — the City of Knoxville
“Based on our investigation, there is currently no reason to believe that Islanders’ personal information has been affected by the malware.” — the Government of Prince Edward Island
All of these statements were subsequently proven to be incorrect when stolen data was published.
An absence of evidence of exfiltration should not be construed to be evidence of its absence, especially during the preliminary stages of an investigation. This particularly true in the case of attacks by groups such as DoppelPaymer, Maze and REvil which are known to steal data. In these cases, the initial assumption should be that data may have been exfiltrated and potentially affected parties should be promptly notified of this possibility.
As noted above, these incidents put victim organizations’ clients and business partners at significant risk. Speedy and accurate disclosure can help them avoid becoming secondary victims.
The percentage is probably higher
All ransomware groups have the ability to exfiltrate data. While some groups overtly steal data and use the threat of its release as additional leverage to extort payment, other groups likely covertly steal it.
While groups that steal covertly may not exfiltrate as much data as groups seeking to use it as leverage, they may well extract any data that has an obvious and significant market value or which can be used to attack other organizations.
Conclusion and recommendations
We anticipate that exfiltration+encryption attacks will become increasingly standard practice and, consequently, both the risks and the costs associated with ransomware incidents will continue to increase. Additionally, as the big game hunters are successfully hunting ever bigger game, the overall economic impact of incidents will increase from its current level of $170 billion.
To prevent attacks and limit the scope of any which do succeed, organizations should:
- Use multi-factor authentication everywhere that it can be used.
- Limit admin rights.
- Disable RDP if not needed and lock it down if it is.
- Segment the network.
- Use email and web filtering.
- Patch promptly.
- Disable PowerShell when not needed.
- Assume the perimeter will be breached and ensure the tools and processes are in place to monitor for indications of compromise.
- Ensure that MSPs and other service providers adhere to best practices.
- Conduct security awareness training on an ongoing basis.