Ransomware Plus Exfiltration: Encrypt Your Data Before Someone Else Does

As if ransomware attacks weren't already a big enough problem—infecting millions of computers and draining billions of dollars every year—a new development has made the threat an even greater concern.

Starting in late 2019, a hybrid variety of cyber attack has emerged, in which traditional ransomware tactics are combined with data exfiltration. Attackers notify their victims that if they fail to pay the ransom demand, not only will data on the infected systems remain encrypted, but the attackers will expose highly sensitive data to the public as well.

Redefining ransomware

Though it's been a problem for years, ransomware was—until now—at least a problem that organizations could deal with internally. The goal for attackers was simply to infect and encrypt as many systems as possible, and the more complex task of stealing data wasn't part of the scheme. Whether victims paid the ransom or not, the affected data never left their own systems, so companies could often avoid the costs and PR damage associated with reporting a data breach.

But like other cyber threats, ransomware has evolved, and attackers have begun to exfiltrate sensitive files before encrypting and shutting down the systems they infect.

This new twist on an already-serious threat began to make headlines in the fall of 2019, under names including Maze and DoppelPaymer. Security staffing firm Allied Universal saw 700MB of sensitive data exposed in November, and Visser Precision, a manufacturer for defense contractors and SpaceX, had nondisclosure agreements, missile antenna schematics, and other sensitive files exposed a few months later. Other large corporations and government offices have also reported attacks.

Dealing with the threat

Until now, the ransomware defense plan was fairly straightforward: patch your software, avoid phishing, detect malware, and keep everything backed up. In many cases, a well-prepared organization could hope to survive a successful attack without paying a ransom. But now that ransomware operators are beginning to exfiltrate data before encrypting it, the landscape has changed.

The added threat of data exposure means that organizations need an additional layer of defense: company-controlled encryption for the data most likely to be targeted.

Attackers using the exfiltrate-and-ransom model are sophisticated enough to know which data will hurt their victims most. Rather than grabbing the first files they see, they seek out top-secret product designs, proprietary computer code, confidential HR files, and other data that a typical organization would do anything to keep from public view. But if those files are already encrypted, they deny the additional leverage attackers are trying to gain. All an attacker will accomplish by exposing the files is to demonstrate that the victimized company has proper data protection in place.

What if you pay?

There's no universally-accepted answer to the question of whether an organization should pay the ransom after a ransomware attack. Less-sophisticated ransomware can often be defeated without a payment, and in many cases victims never recover their data even after paying. In other cases, however, companies quietly pay the ransom and regain access to their data, hoping to minimize the damage to their operations and reputation.

Here again, old strategies may not be enough to address the new reality. Ransomware operators often make the argument that they can be trusted to provide decryption keys once they recieve payment, because their "business model" depends on it—if word gets out that they don't follow through on their end of the deal, the next victim will have no incentive to pay. But even if an attacker provides decryption keys upon payment, how can they prove that they've followed through on a promise to delete the data they exfiltrated? And how could they ever be trusted to do it, when they could make an additional profit by selling the stolen data to someone else?

The only way to know that exfiltrated data is safe from misuse is to know that it was protected by strong, persistent encryption before it was exfiltrated. Encryption isn't a complete answer—firewalls, antimalware, and then some, will continue to be necessary—but by locking down its highest-value data in advance, an organization can protect itself against the worst consequences of this emerging threat.