The data ransomware attackers are after
A new report released by Rapid7 investigates the double extortion trend pioneered by the Maze ransomware group. The report examines the contents of initial data disclosures intended to coerce victims into paying a ransom.
The 'Ransomware Data Disclosure Trends' report a reveals how ransomware attackers think, the data they value and how they approach applying pressure on victims, according to the authors.
Ransomware is an increasingly prevalent problem for cybersecurity teams, causing billions in losses across many industry sectors globally and stopping critical infrastructure in its tracks.
In recent years, threat actors have upped the ante by using ‘double extortion’ as a way to inflict maximum pain on an organisation. Using this method, threat actors not only hold data hostage for money, they also threaten to release that data — either publicly or for sale on dark web outlets — to extract additional payments.
Rapid7 has identified the types of data that attackers initially disclose to coerce victims, and determined trends across industries. The company says the analysis is the first-of-its-kind and uses proprietary data-collection tools to analyse the disclosure layer of double-extortion attacks.
The report examined all ransomware data disclosure incidents reported to customers through the company’s threat intelligence platform between April 2020 and February 2022, and also incorporated threat intelligence coverage and institutional knowledge of ransomware threat actors. This analysis determined: the most common types of data disclosed; the most affected industries and how they differ; how leaked data differs by threat-actor group and target industry; and the current state of the ransomware market-share among actors and how that has changed over time.
Finance, pharma and healthcare are key targets
Overall, trends in ransomware data disclosures pertaining to double extortion varied slightly, except in a few key verticals: pharmaceutical, financial services, and health care. In general, financial data was leaked most often (63%), followed by customer/patient data (48%).
The state of ransomware actors
The analysis delivered a clearer understanding of threat actors responsible for attacks. Between April and December 2020, the now-defunct Maze Ransomware group was responsible for 30% of attacks.
This ‘market share’ was only slightly lower than that of the next two most prevalent groups combined (REvil/Sodinokibi at 19% and Conti at 14%).
However, the demise of Maze in November of 2020 saw many smaller actors stepping up. Conti and REvil/Sodinokibi swapped places respectively (19% and 15%), barely making up for the shortfall left by Maze. The top five groups in 2021 made up just 56% of all attacks with a variety of smaller, lesser-known groups being responsible for the remainder.
Recommendations for security operations
While there is no silver bullet to the ransomware problem, there are silver linings in the form of best practices that can help to protect against ransomware threat actors and minimise the damage, should they strike. This report offers several that are aimed around double extortion, including:
- going beyond backing up data by including strong encryption and network segmentation;
- prioritising certain types of data for extra protection, particularly for those in fields where threat actors seek out that data in particular to put the hammer to those organisations the hardest;
- understanding that certain industries are going to be targets of certain types of leaks and ensuring that customers, partners, and employees understand and are prepared for the heightened risk of disclosures of those types of data.
The need for mental health support within the cybersecurity profession has been evident for quite...
Collaborating with industry stakeholders to devise a ransomware reporting obligation is a key...
With the ever-increasing speed and sophistication of cyber attacks, we need speed, scale and...