Data Hostages – A Common Cyber Threat

Ransomware

July 13, 2023

Over the last several years, the NJCCIC observed a steady increase in ransomware attacks with a data exfiltration component. Stealing data from victim networks prior to the encryption process provides cyber threat actors the means to apply additional pressure on victims to pay ransom demands in hopes of preventing their data from being publicly exposed. This threat of data exposure has become so effective that, since approximately mid-2022, the NJCCIC has observed an increase in ransomware groups forgoing the encryption process and solely stealing data from victims, as this attack method is often easier and less costly from an operational standpoint. Cyber threat actors can purchase access to a network from initial access brokers, via social engineering schemes, or by exploiting vulnerabilities in internet-facing systems. Once data is exfiltrated, it can then be sold on dark web forums and posted to a public “shaming” website with the intent to cause reputational damage. For example, the Cl0p ransomware group, noted as one of the primary groups exploiting the recent MOVEit vulnerabilities, was observed partnering with groups who prefer to sell exfiltrated data rather than encrypt victims’ files. In fact, Cl0p, BlackCat/AlphV, and a growing number of other ransomware groups habitually target file transfer services and applications such as Accellion, GoAnywhere, and WinSCP.

Organizations are highly advised to encrypt their sensitive data at rest and in transit to prevent unauthorized entities from publicly disclosing their data. If the threat actor cannot post the data in a readable form, they lose their leverage in convincing victims to pay the ransom demand. Additionally, organizations should ensure they are following requirements for storing and transmitting protected information, such as personally identifiable information (PII) and protected health information (PHI), as the exposure of this information could lead to regulatory fines against the victim organization in addition to providing credit monitoring and other identity theft protection services to impacted individuals.

While this technique is growing in popularity amongst cyber threat actors, the NJCCIC continues to observe traditional ransomware cyberattacks in which data is encrypted and the victim decides to either pay the ransom to decrypt the data, restore from their own data backups, or accept the data loss; therefore, it is vital for organizations to employ best practices and prepare incident response plans for traditional ransomware methods.

The NJCCIC advises organizations to ensure they protect sensitive data stored on their network and employ other ransomware mitigation strategies to reduce the likelihood and impact of a ransomware attack. Additionally, follow cybersecurity best practices, including user awareness training, patching against known vulnerabilities, and employing access controls.

The following resources provide additional information and strategies to reduce risk: