As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has been released when the victim doesn’t pay up. If this becomes the norm – and it looks like it will – victims will need to consider all ransomware attacks as possible data breaches.
Ever since the Maze ransomware operators realized they could increase the odds of collecting the ransom by leaking data, many other ransomware groups have started following suit. In the latest variant to be seen using this tactic, the attackers basically guarantee they can decrypt the files if you pay (proof provided on two random files.) But at that point, the data is already stolen.
While the attackers will only steal a segment of the data they encrypt – a few GB, random emails, etc. – the victim will likely have no idea which portion of the encrypted files were stolen and will have to consider all data that was accessed as “breached”, unless they can assess that there is a reasonably low risk that certain data was not extracted.
As security professionals we strive to prevent the attackers from compromising our organizations in the first place. But in the event they are successful, following is a sample of additional controls that can be implemented to better detect data exfiltration:
In addition to these controls, as noted in this blog post last month, organizations that fall victim to ransomware should engage experienced outside counsel to commence an internal investigation and to: