Data Exfiltration: Ransomware's Beyond-the-Ransom Impact

If you’re like most organizations, the term “ransomware” conjures up nightmares of hackers infiltrating your network, encrypting your data, and holding you hostage in exchange for a ransom. While an accurate depiction of a traditional ransomware attack, this sequence of activities overlooks an important step, one that has become increasingly popular among hackers and enabled them to regain an advantage over their victims: data exfiltration.

As organizations defend against ransomware attacks by adopting reliable backup systems and stringent policies against paying ransoms, threat actors have resorted to exfiltrating data. It’s a reliable and time-tested method that today is being used in new and more harmful ways against organizations of all sizes, especially small-to-midsized businesses (SMBs) and managed service providers (MSPs).

In this article, we examine the threat of data exfiltration in ransomware attacks, how it occurs, and steps you can take to prevent it from compromising your organization.

Data exfiltration: The new face of an old menace

Data exfiltration is the theft of sensitive information such as personally identifiable information (PII), intellectual property, financial data, trade secrets, and more. The practice has long been used in phishing and spear-phishing campaigns.

Yet data exfiltration has gained new meaning as ransomware groups use it to gain additional leverage over their victims, a technique referred to as double extortion. Hackers exfiltrate sensitive information, encrypt it, and then demand a ransom. If organizations refuse to pay, hackers threaten to leak the stolen information to the public or on the dark web.

Two factors make data exfiltration particularly useful in ransomware attacks. First is the type of organizations targeted. Threat actors commonly focus their exploits on businesses in essential industries such as healthcare, government, or education because these institutions often store valuable information, cannot afford disruptions to business continuity, and tend to present significant IT vulnerabilities.

Hackers are also focusing their attacks on small-to-midsized (SMB) businesses and managed service providers (MSPs), since both types of organizations lack the cybersecurity resources and budgets of larger enterprises and pose less resistance to a successful attack.  

Second is the consequences victims face in the event of a successful data breach. While these consequences vary depending on an organization’s industry and line of business, the potential repercussions include:

1. Financial. If hackers harvest account credentials, they can initiate wire transfers or drain financial accounts.
2. Competitive. If hackers leak trade secrets or intellectual property, they can erase or erode an organization’s competitive advantage.
3. Reputational. If hackers publicize sensitive customer or supplier data, compromised organizations can lose existing and potential customers or partners.
4. Legal. Data breaches can expose organizations to lawsuits from governments, law firms, customers, partners, and others.
5. Regulatory. In the event of a data breach, organizations can face stiff penalties from regulatory violations, including GDPR and HIPAA.

In February 2022, global chipmaker Nvidia was the victim of a ransomware attack by the prolific cybergang, Lapsus$. Leading up to a series of ransomware attacks against Microsoft, Samsung, and other leading tech companies, Lapsus$ infiltrated Nvidia’s network. The cybergang then reportedly exfiltrated a terabyte of data, leaked some of it, and demanded a ransom. Lapsus$ didn’t seek a monetary ransom. Instead, it demanded that Nvidia update its product, and unless the chipmaker complied, Lapsus$ would leak the company’s trade secrets, potentially jeopardizing its competitive advantage.

While the case of Nvidia isn’t unique, it characterizes a new threat landscape where data has become a critical vulnerability for organizations. Indeed, if we look at some of today’s most feared and talked-about ransomware groups, we find that all use data exfiltration to exploit their victims. This includes Lapsus$, Hive, Conti, LockBit, and BlackCat, the latter responsible for more than 60 data breaches globally between November 2021 and March 2022.

This new threat landscape also signals a necessary change in how organizations protect their data. Before we look at the ways you can prevent data exfiltration, let’s unpack how the threat occurs.

How data exfiltration occurs

Data exfiltration occurs in two phases. In the first phase, hackers attempt to gain access to an organization’s internal network. This can occur through a variety of techniques, including:

1. Phishing campaigns. Hackers impersonate a brand and trick victims into divulging account credentials or clicking a malware-laced link that compromises the user.
2. Brute force attacks. Hackers use a variety of techniques to guess the account credentials of victims and gain access to an internal network.
3. Credential stuffing. Using bots, hackers attempt to gain access to legitimate accounts by testing out compromised credentials.
4. Remote desk protocol (RDP) attack. Hackers exploit a Windows protocol to access and control a device remotely to infiltrate an internal network.
5. Exploiting IT vulnerabilities. Hackers exploit vulnerabilities in the network due to outdated software, unprotected internet-connected devices, inadequate security of suppliers connecting to the network, or for other reasons.

Once hackers gain access to the internal network, the second phase commences. They use a variety of techniques for lateral movement, including performing reconnaissance to diagnose the makeup and structure of the network, and using malware and other cyberthreats to compromise users and escalate privileges. Together, these techniques enable hackers to access the sensitive data targeted for exfiltration.

Data exfiltration prevention

To protect against data exfiltration, your organization should embrace the following set of technologies and practices.

1. AI-threat detection technology

Email remains the top vector for cyberthreats, making it the prime channel for hackers to attempt to infiltrate your network. While traditional email security solutions provide protection against known cyberthreats, they don’t defend against dynamic and sophisticated phishing campaigns, spear-phishing attacks, and malware-distributed emails that may lead to data exfiltration.

Artificial Intelligence (AI) threat detection technology offers a superior solution by providing predictive defense against known and unknown threats. The solution performs a behavioral analysis of emails, URLs, attachments, and webpages to detect the suspicious behaviors and anomalies characteristic of all cyberthreats, even those not yet seen in the wild.

Still, not all AI-threat detection and response solutions provide adequate protection. For optimal defense, look for solutions that combine a core set of AI technologies specialized in neutralizing every type of email-borne threat. They include Machine Learning, Computer Vision, and Natural Language Processing. Because the strength of AI depends on information, make sure the solution also gathers ongoing intelligence from a large, current, and relevant dataset.

2. AI-threat response technology

Threat detection is not a perfect line of defense. If email-borne threats reach your users’ inboxes or originate from a source inside your network, you need the ability to detect and remediate an attack. AI-threat response solutions provide the same capabilities as AI-threat detection technology, but they extend protection to threats within your internal network on an ongoing basis.

When evaluating AI-threat response solutions, look for the same features examined in the previous section. Also, make sure the solution is API-based and lives within your network natively. This maximizes security by working with the basic security tools offered by productivity suites like Microsoft 365 or Google Workspace.

Additionally, look for solutions that provide continual scanning and automatic remediation, which ensures ongoing protection while freeing up critical IT resources. And because time and awareness are critical factors for effective threat response, choose solutions that enable you to track and remediate threats across your employees or clients from one interface, ensuring you can act quickly while avoiding unnecessary delays in your incident response.

3. User awareness training

According to a study by IBM and Ponemon Institute, 21% of data breaches globally in 2021 were caused by human error. While email is the top vector for cyberattacks, your users remain the preferred target for hackers. That’s why user awareness training is one of the most important prevention measures to exploitation.

By educating your team on how to spot and respond to email-borne threats, you develop an additional layer of protection against phishing, spear-phishing, and malware-distributed emails. Because learning outcomes vary significantly depending on the type of training, look for solutions that provide education with the following features:

1. Automated. Self-administers automatically, with no intervention by you or an administrator.
2. Personalized. Fits the content and context of users’ regular email interactions.
3. Timely. Occurs when users need it most: when they encounter a threat.

4. Zero Trust security

As mentioned previously, once hackers gain access to your internal network, they can use a variety of techniques to move laterally and locate the data they want to exfiltrate. Zero Trust security is a strategic framework that limits the ability for hackers to penetrate and freely move about your internal network.

By adopting Zero Trust security, you make it harder for hackers to compromise your network after gaining initial access. Using technologies like multi-factor authentication (MFA), network segmentation, and access controls, Zero Trust security requires all users to undergo continuous authentication, authorization, and validation for each interaction with your network.

5. Password policy management

Like Zero Trust security, password policy management is a strategic approach that enables you to decrease the chances hackers can infiltrate your network. Password policy management is a set of procedures and policies that force your users to create strong and unique passwords and do so on a periodic basis.

By embracing password policy management, you systematically fix the bad password habits employed by most users and limit the ability for hackers to gain entry your networks by way of brute force attacks or credential stuffing.

Stop data exfiltration before it starts

Data is one of the most important assets to your business. As with anything of value, however, it can also be a serious liability, exposing you to severe and lasting consequences. Yet you can thwart data exfiltration attempts sustainably and successfully. By adopting the measures and technologies examined previously, you can also keep your clients, partners, employees, and data safe.