Cybersecurity News

Report: Over 1 in 10 Ransomware Attacks Results in Data Theft

Double extortion ransomware attacks were made popular by the Maze hacking group, but other threat actors are following suit; Emsisoft finds over one-tenth of these attacks results in data theft.

healthcare sector human-operated ransomware attack double extortion attempt data theft exfiltration

By Jessica Davis

- More than one out of 10 ransomware attacks results in data theft, increasing the risk of data loss, business interruption, regulatory penalties, legal harm, and reputational damage, according to recent Emsisoft data. 

In fact, of the 100,001 ransomware attacks reported to ID Ransomware between January 1 and June 30, 2020, 11,642 of those attacks (11 percent) were tied to the hacking groups publicly known to steal data before encrypting impacted systems. 

Double extortion ransomware attacks were first made popular by the Maze hacking group. Beginning in late November, Maze cybercriminals began hitting US organizations by first gaining a foothold on the network and moving laterally across the network through connected devices. The threat actors can remain undetected on the victim’s network for days and even months, waiting for the ideal moment to deploy the ransomware.

In January, the FBI began alerting the public sector to a spike in these attacks, where hackers posed as legitimate security vendors or government agencies to encrypt or steal data. Other hacking groups began following suit, and by April, the Department of Homeland Security warned that hackers were targeting the remote environment to first find and obtain valuable data before deploying the ransomware payload. These hacking groups include Maze, Nefilim, Sodinokibi, REvil, and at least four others. 

The healthcare sector has remained a prime target for these attacks, given the trove of sensitive data and need for continuous data access. According to the latest Emisoft data, these attacks are blurring the lines between ransomware attacks and data breaches. 

“The most attractive targets for this type of attack are the organizations that would suffer the most harm from their data being exposed as they are perceived to be the most likely to pay to prevent exposure,” researchers wrote. “Consequently, organizations in the legal, healthcare and financial sectors have been frequently targeted.” 

While the costs associated with ransomware attacks typically refer to business interruption and recovery efforts, double extortion attacks can spur a “myriad of other significant impacts such as the loss of intellectual property or the disclosure of competitive information.” 

To Emsisoft, these attacks pave the way for future attacks and criminal activities. For example, data stolen from victim organizations can be leveraged in later spear phishing attacks on the enterprise’s clients, customers, and business partner, along with future fraud attempts and business email compromise. 

Just 41 healthcare providers reported falling victim to ransomware during the first half of 2020, but researchers stressed that it doesn’t mean hackers haven’t already compromised the networks for future attacks. Further, as more employees return to the office, the likelihood of ransomware deployment will increase. 

What’s worse, Emsisoft found that some hacking groups may covertly steal data, instead of publicly shaming the victims by posting sensitive information to dark web forums. These groups may not steal as much data, but “may well extract any data that has an obvious and significant market value or which can be used to attack other organizations.” 

“An absence of evidence of exfiltration should not be construed to be evidence of its absence, especially during the preliminary stages of an investigation,” researchers warned. “In these cases, the initial assumption should be that data may have been exfiltrated and potentially affected parties should be promptly notified of this possibility.”  

“If 966 entities are again impacted in 2020, it is likely that 106 of them, eleven percent, will have data stolen and published,” they added. “This is probably a best-case scenario as the groups most likely to attack public sector entities are those which overtly steal data.” 

Emsisoft also provided recommendations to strengthen defenses, including the need for multi-factor authentication, limiting admin rights, segmenting the network, promptly patching, and conducting security awareness training on an ongoing basis. 

The remote desktop protocol should be disabled if it’s not needed or locked down if its use is necessary for business operations, while PowerShell should be disabled when it’s not needed. Email and web filtering should also be employed. 

Lastly, organizations should assume the perimeter will be breached and implement the right processes and tools to monitor for indicators of compromise. And administrators should ensure any connected vendors are also adhering to these best practices. 

Microsoft previously released ransomware guidance for human-operated attacks, as well as the Office for Civil Rights. Other security researchers have also shared ransomware insights with HealthITSecurity.com to help organizations develop a ransomware response plan.