Weaponized Data; How Data Exfiltration Evolved the Ransomware Threat

June 7, 2022  6 Min Read
By: Amelia Foss

The security industry is rife with buzzwords and jargon but with businesses falling victim to ransomware every 11 seconds,1 the term has crossed over to the mainstream.  Yet while the basics of ransomware may be easy to understand - a company’s data is encrypted by bad actors who will provide the decryption keys once a ransom has been paid - the business of ransomware continues to evolve, creating with it more intricacies. This blog will explore how data exfiltration shifted the ransomware threat from purely monetary to something much more devastating and how a Data-First Security approach can help businesses mitigate their exposure.  

Today’s ransom demands are skyrocketing into the tens of millions of dollars in some cases.  The largest payment on record came in at a whopping $40 Million!2 Yet while these figures may keep most businesses up at night, the real threat is increasingly not the payment itself but rather the exfiltration of valuable data.


How is Data Exfiltration Shifting the Threat?


In a basic ransomware attack, malware spreads through a company’s network and encrypts the files it can access.  This type of attack is easily corrected by restoring data from backups. In a modern exfiltration attack, however, a copy of those files is first stolen, or exfiltrated, by the attacker prior to encryption, thereby increasing the leverage of the attack. Companies that choose not to pay the ransom risk having their stolen data published to the dark web.  

Data exfiltration is a force multiplier for the ransomware industry because it ensures that businesses cannot simply rely on a data backup solution to circumvent payment.  A successful exfiltration attack means that the organization’s backbone - its valuable information - can now be weaponized and used against it by exposing trade secrets, intellectual property, or sensitive customer interactions. While CNA Financial, the victim of the aforementioned $40M payout, claimed their list of business clients and their respective cyber risk premiums was not, in fact, compromised,3 it’s easy to see how publishing information such as this would all but ensure that those businesses would become instant targets. The higher your cyber risk insurance premium, the more likely you are to pay the ransom.  

Exfiltrated or stolen data gives the bad actors leverage for double extortion as businesses are not simply paying the ransom to regain access to their files but rather to keep those records from getting published. This means that businesses now need to consider not just how to keep their company running with the shortest downtime after an attack but instead how to secure their data on a daily basis to avoid having it stolen.  Triple and quadruple extortion happens when the attacker adds layers such as a DDoS website attack along with direct outreach to the impacted individuals of the data - be them clients, partners, or even a company’s own employees - in an attempt to apply outside pressure to pay the ransom.4

The first reported double extortion case emerged in 2019 against security staffing company Allied Universal in which the attackers used a ransomware strain called MAZE.5  This marked a turning point in the ransomware business. By late 2021, it was reported that over 80% of ransomware attacks included a threat to leak stolen data.6


What Steps Can Businesses Take to Stay Secure?

So with ransomware on the rise and the threat of attack evolving, how can businesses stay secure while maintaining day-to-day operations?  

It starts with shifting the mindset from hoping they will not become a victim to understanding that an attack is inevitable.  While seemingly nihilistic, businesses that prepare for the eventuality of an attack will be better suited to handle one when it occurs. 

Next, organizations need to take an audit of the type of data they have, how it’s being used, and where it lives.  Understanding the amount of data that needs to be stored and secured and then classifying it in terms of level of sensitivity will help build out a strategy.  

Once organizations have taken stock of their data profile, they will next want to decide how to secure it.  This means housing it, backing it up, creating redundancies and encrypting extra-sensitive files while also maintaining accessibility for day-to-day business operations.  This is a tall order to be sure and a problem that today’s modern Data-First Security is promising to solve.  


What Is Data-First Security?

Data-First Security is a next-generation approach to data protection that addresses the evolving ransomware threat.  Where most security solutions adopt an outside-in method that builds strong defenses around the perimeter to keep malware out, the Data-First Security approach protects right onto the data itself using an inside-out method that assumes the data will be breached and protects it even in the event of a cyber attack.  Sitting as a layer between security defenses and cloud file management and backup, today’s newest generation of data security offers users a way to encrypt, fragment, and scatter their files across geographically separated locations.  A neutral data harbor runs the process and holds the keys to piecing the fragments back together instantaneously for an authorized user to work with a file before scattering the encrypted fragments back to their disparate locations.  In using this process, even in the event of a breach, attackers would only gain access to double encrypted fragments of encrypted files and never the entire data set, thus removing exfiltration from the ransomware attacker’s toolkit.  We call these fragmented pieces Digital Sludge™.

Data-First Security builds on the belief that a data breach is inevitable and offers businesses the resiliency to continue working through it.  


What Other Steps Can Businesses Take to Stay Secure?

Beyond focusing on data protection and management, businesses should always look to build out layered security defenses.  Other steps include:

  • Cybersecurity awareness training for your employees
  • Update software and equipment and staying mindful of patch hygiene
  • Strong password management and BYOD policies
  • Review Remote Desktop Protocol settings (RDP)
  • Build layered security defenses through modern endpoint and perimeter security

Ready for more on how modern data protection can defend against stolen data and ransomware? Check out our recent discussion with guests from TechWerxe and Axis Group as we breakdown the evolving threat landscape and solutions to avoid paying the ransom.  Watch the full webinar recording here.  


1 Cybersecurity Ventures | 2 CNet | 3 Bloomberg | 4 Trend Micro | 5 Checkpoint | 6 Kroll 



See Calamu in Action.