Ransomware is one of the most relevant and dangerous threats facing cybersecurity teams today. Gaining access to a network and holding that data for ransom has caused losses in the millions across the ecosystem and around the world. It has affected critical infrastructure such as healthcare services, putting the lives and livelihoods of many at risk.
In recent years, threat actors have turned up the intensity through the use of "double extortion" as a way to inflict maximum damage on an organization. Through this method, threat actors not only get data held hostage for money, but also threaten to release it (either publicly or for sale on dark web sites) to extract even more money from companies.
We often say that when it comes to ransomware, we can all be targets, but we don't all have to be victims. We have the means and tools to mitigate the impact of ransomware, and one of the most important assets we have on our side is data on the ransomware attackers themselves.
Reports on ransomware trends are fairly common these days. But what is not common is information on what kind of data threat actors prefer to collect and publish.
A new security report uses proprietary data collection tools to analyze the disclosure layer of double extortion ransomware attacks.
It identified the types of data that attackers initially disclose to force victims to pay a ransom, determine industry trends and publish it in a first-of-its-kind analysis. That report analyzes all ransomware data disclosure incidents reported to customers through our Threat Command threat intelligence platform (TIP). It also incorporates threat intelligence coverage and knowledge about ransomware threat actors.
Building on the above, it is possible to specify:
The most common types of data attackers disclosed in some of the most affected industries and how they differ; how the leaked data differs by threat actor group and target industry; as well as the current state of ransomware market share among threat actors and how it has changed over time.
Overall, trends in ransomware data disclosure related to double extortion varied slightly, except in a few key verticals: pharmaceuticals, financial services, and healthcare.
Overall, financial data was leaked most frequently (63%), followed by customer/patient data (48%).
However, in the financial services sector, it was mostly customer data that was leaked, rather than the financial data of the companies themselves.
About 82% of the disclosures linked to the financial services sector were of customer data. Internal company financial data, which was the most exposed data in the overall sample, accounted for only 50% of data disclosures in the financial services sector. Employee personally identifiable information and human resources data were more frequent, at 59%.
In the healthcare and pharmaceutical sectors, internal financial data was leaked about 71% of the time, more than any other industry, including the financial services sector itself. Customer/patient data also appeared with high frequency, being published in 58% of disclosures in the sectors combined.
One of the most interesting results of the analysis was a clearer understanding of the state of ransomware threat actors. It is always critical to know your enemy, and with this analysis, we can identify the evolution of ransomware groups, what data individual groups value for initial disclosures and their prevalence in the "market".
While there is no perfect recipe for the ransomware problem, there are positives in the form of best practices that can help protect against ransomware threat actors and minimize damage, should they occur.
Comments