When it comes to ransomware attacks, some data are more important to ransomware suites than others. A new research study by Rapid7, Pain Points: Ransomware Data Disclinds Trends, provides insight into what data ransomware groups value and how they use it for compression.
Double extortion attacks have increased in recent years. Traditional ransomware attacks encrypt data on the attacked systems to extort money from businesses and individuals. The advent of countermeasures, including the use of backups, has reduced the effectiveness of traditional ransomware attacks.
If data backups are available, companies can use them to restore data without having to pay a ransom. Without additional leverage, ransomware groups will be left empty-handed after the attack.
Double extortion attacks combine one stage of encryption with another stage, which occurs before the data is encrypted. The groups analyze files and documents on the attacking network to steal data. The data is still held hostage, as it is encrypted in the second stage, but the stolen data can be used as leverage in ransomware negotiations. Ransomware groups may threaten to release data to the public or sell it to interested parties. If negotiations fail, the data may be sold on the dark web.
Ransomware studies are released frequently. We’ve covered two here at GAC in just the last couple of months. First, it confirms the increase in ransomware attacks and ransom payments. Second, the ransom payment is marginal when compared to the total costs of ransomware attacks.
Detect ransomware data
Rapid7 analyzed 161 disclosures of data between April 2020 and February 2022. Many ransomware attacks occur over days, weeks, or even months. The time period gives attackers time to collect and pull data from the compromised networks before running encryption tasks.
Some data is more valuable to ransomware groups than others. Data that can be used as leverage, for example patient files, financial documents or intellectual property files, is on average more valuable than other types of data that attackers might discover during attacks.
The extracted data is used in various ways by ransomware groups. Besides the obvious uses for gaining deeper access to an organization’s network, the leaked data can also be used as leverage or sold on dark web marketplaces if ransom negotiations fail.
The additional time that attackers spend on the network gives organizations a chance to discover the intrusion before the data is fully encrypted.
Ransomware data is exposed in two stages:
- Stage 1: A sample of the stolen data is submitted to the organization; This is done to improve credibility and as effectiveness, as revealing more data may be harmful to the organization. Usually only the data is provided to the organization, but it can also be published publicly on the Internet.
- The second stage: selling or publishing the data if negotiations with the victim are fruitless.
Rapid7 notes in the analysis that data disclosures are indicators of general ransomware trends. Based on an analysis of 161 disclosures, the company’s researchers were able to determine the following:
- The most common types of data attackers have been revealed
- How disclosures differ between industries and groups of threatened actors.
- Current market share of ransomware among threat actors.
Datasets in ransomware data disclosures
Not all data is of equal importance to organizations, and disclosure of data may vary greatly between sectors. Most thought beyond was customer and patient data in financial services attacks, financial and accounting information in health care and pharmaceutical attacks, and personally identifiable information and human resources in financial services.
Notably, IP data was used in 43% of drug detections. For all industries, financial and accounting information was used the most, followed by customer and patient data, and personal identification information data for employees and human resources.
The disclosure of customer data dominated the financial services sector, followed by personal identification data, human resources for employees, and internal finance and accounting documents. The focus on customer data indicates that customer data is often more valuable to ransomware groups than other types of data. Rapid7 notes that the threat of dissemination of customer data is often strong, as it can affect the overall perception of an organization.
Financial and internal accounting filings are disclosed more in healthcare and pharmaceuticals than in others, not in financial sector disclosures. Customer and patient data is disclosed in more than 50% of all cases, but not to the same extent as it is disclosed in financial services.
The high frequency with which customer and patient data appears in these disclosures indicates that attackers aim to exert greater pressure on victims by: a) the more serious legal and regulatory consequences of patient data breaches for hospitals and other healthcare providers; b) The greatest benefit from criminals’ most detailed and beloved patient data sets for identity theft and other forms of fraud.
Disclosures from the pharmaceutical sector had a large number of intellectual property files. Pharmaceutical companies “rely heavily on large intellectual property investments,” which makes disclosure of this data valuable to threat actors. IP disclosures were included in only 12% of disclosures from all samples.
Threat Actor Group Trends
Threat actor groups use different strategies when it comes to dual extortion attacks. Some of the differences can be explained by the data that the attackers discovered during the attacks. If a particular type of data is not found or cannot be extracted, other data may have been used instead as compression.
The four major groups of analysis used different types of data in the disclosures. Finance and accounts data is disclosed 100% of the time by Darkside Group, but CI0p is only disclosed 30% of the time. Similarly, Darkside discloses sales and marketing data, Pii employee data and human resources 67% of the time, while the other groups only do 27% or 30% of the time.
Rapid7 توصيات Recommendations and Suggestions
More and more organizations are using backups to counter traditional ransomware attacks. Backups help, but they are not 100% effective on their own when it comes to dual extortion attacks. To counter double distortion attacks, Rapdi7 suggests that organizations use file encryption, splitting corporate networks, and presenting “any unreadable files to unauthorized eyes.”
The report may help organizations identify high-priority assets to better protect them against potential ransomware attacks.
Finally, organizations may also use the report’s findings in preparations to “predict types of
Files are likely to appear “.
Now You: How do you protect your systems from ransomware attacks? (via Rapdi7)