Business is booming for cybercriminals who continue to thrive on the element of surprise and exploit any weakness to gain the upper hand over their victims. This is particularly true when it comes to ransomware attackers, for whom weaponizing their victims’ vulnerabilities and catching them off-guard, is all part of the plan.
As such, criminal gangs are increasingly using novel tactics to circumvent traditional security solutions and one of the most significant shifts is that attacks involving data exfiltration are now the norm. Stealing sensitive data gives these gangs the most leverage over their victims and the stark reality is that ransomware attacks involving exfiltration now constitute 90% of all attacks.
To exploit any weakness, they’re also likely to strike the most vulnerable industries and even time their attacks during holidays when companies operate with fewer staff and are less equipped to deal with a major incident.
When it comes to protecting against these attacks, knowledge is power, and the best form of defense is to understand the attacker’s preferred playbook. In this way, organizations can put the most reliable processes and technology in place to guard against them and ensure their data, systems and reputation remain intact.
No business stands still and, just like the corporate world, the criminal gangs behind ransomware attacks will continue to adapt their techniques to maximize their returns. As we head into 2024, organizations must be ready to guard against these and prevent a ransomware attack from bringing their own organization to a grinding halt.
The rise and rise of double exfiltration
Like any legitimate business, criminal gangs will refine their tactics to make sure their money-making efforts yield the best return. They will adapt and hone their techniques – and then sell their tools and their expertise to other groups – in order to make millions from their extortion demands. And, as with many markets, the front runners have created business models which are repeatable, profitable and highly effective.
We only have to look at the events of 2023 to see evidence of just how much damage these attacks inflicted and why data exfiltration – in which gangs access, steal and then threaten to sell or publish sensitive data, is their preferred modus operandi. The ‘one – two’ punch of encrypting systems first is often bypassed entirely so that exfiltration – which is faster and more effective – is the primary way in which organizations are forced into making payments.
One of the dominant forces of the last year was the Play ransomware group, which hit more than 300 targets using these tactics. A joint advisory from multiple intelligence agencies notes that victims were not provided with an initial ransom demand and, instead, were urged to contact the group by email to begin negotiating for the return of their assets.
The infamous MOVEit attack by the Clop group was another example of gangs using data exfiltration, with more than 2,000 organizations impacted. These attacks also demonstrated the trend towards novel attack tactics as Clop deployed a zero-day vulnerability to exploit the MoveIT file transfer system and reach victims.
Attackers strike the most vulnerable
Analyzing attacks over the last few years reveals a further trend in ransomware attacks with gangs striking under-resourced industries and timing these to inflict the greatest damage. Education, healthcare and government sectors – beset with lack of budget and lack of resources – are consistently amongst the most targeted industries.
In terms of timing, we tracked more attacks in November than any other month in 2023 – including one at healthcare provider Ardent Health Services which caused chaos over the Thanksgiving weekend. It’s no coincidence that some of the biggest cyberattacks over the years have been timed to strike over holiday periods or weekends – when it’s more costly and far more disruptive to deal with the aftermath.
Heading into 2024, it’s likely that criminal gangs will continue to put public sector organizations in their sights and these ‘high risk’ institutions should prepare for even more attacks. Every organization should also ensure that their ‘out of hours’ response processes are firmly in place; the impact of these attacks can be significantly reduced with the right preparations and a focus on strong security foundations and provisions around data exfiltration, helping to minimize risk.
The importance of fundamentals
Although ransomware groups are constantly deploying new tactics, criminal gangs are also looking for the easiest attack path. Any lapses in basic security measures such as unpatched systems and poor password hygiene allow attackers easy access to their victim.
Companies that get the basics right will immediately improve their resilience against most attacks. Ensuring that security patches and software updates are applied swiftly and regularly will greatly reduce the chances of attackers finding vulnerable systems to exploit.
Implementing strict password policies and measures like MFA will harden the network against intruders with stolen credentials. Regular efforts to keep employees informed and engaged about security hygiene and data handling are also healthy practices to encourage.
Focus on data exfiltration
While getting the basics right will send many attackers off in search of easier prey, sophisticated attackers expend more effort to breach valuable targets. Organizations need to be ready to detect active threats within their network and move to stop them quickly, especially when faced with fast-acting ransomware attacks. While threat detection tools are essential, most traditional solutions are struggling with new attack vectors and tactics such as fileless ransomware, and bypass any tools that rely on threat signatures.
As such, firms must also be capable of stopping intruders from successfully accessing and exfiltrating sensitive and mission-critical data. This is where anti data exfiltration (ADX) comes in. These solutions are implemented across the entire suite of devices on the network and continually monitor traffic.
Rather than relying on known threat signatures, ADX functions on AI based behavioral analysis to detect suspicious activity. The solution prevents the unauthorized removal of data through any connected endpoint, stopping the intruders from extorting their victim.
With more threat actors likely to follow in the footsteps of Clop and Play in the year ahead, preventing data theft must be an integral part of any security strategy. After all, if no data is accessed or destroyed in an attack, it cannot be considered a true breach and therefore it has no impact on data integrity or privacy.
Prepare for the worst case scenario
Organizations need to be realistic that attacks can still occur even with the best defensive solutions and strategies in place. This doesn’t mean admitting defeat – it just means being ready with a response and recovery strategy to get the company back on its feet as soon as possible.
This should include processes for regularly backing up data, with the backups ideally being encrypted and stored off site to keep them out of reach of the attack. There also needs to be a detailed playbook on restoring systems and working around issues to minimize the disruption.
Ransomware attackers are also relying on tightened data protection regulations to exert pressure, so firms should have an established process in place for reporting data breach incidents. This includes notifying customers who are likely to have personal information stolen or leaked, as well as any relevant authorities such as the ICO. Enterprises must be able to comply with any regulatory time limits on these reports, for example, the SEC brought in new requirements for breaches to be reported within four days in December, and the DORA regulation coming into law in 2025 stipulates breaches are reported within 72 hours.
Finally, it’s worth noting that while a solid recovery plan is essential, it cannot account for criminals using data exfiltration as their primary leverage for blackmail. This means that even if systems are restored, the threat group can still leak or sell critical and sensitive data. The overarching lesson is that prevention is always better than cure.
Future-proofing against ransomware
While we can’t predict everything, we do know that ransomware attackers will continue to use all the techniques at their disposal to pressurize victims into conceding to their demands. So, in the same way that we’re told to ‘keep our friends close but our enemies closer’, we need to keep pace with their tactics, and understand their business models and extortion techniques, in order to thwart their efforts.
The good news is that well-prepared organizations will rob attackers of the element of surprise and will limit the attackers’ goal of causing serious disruption and stealing valuable data. Those firms with hardened networks, effective recovery plans and the ability to detect and prevent data exfiltration can turn the tables on attackers expecting a vulnerable and unprepared victim.