The ransomware threat landscape has evolved greatly over the past few years. In most ransomware incidents, threat actors steal valuable data from victim networks during these operations. This data is then used to threaten victims of data exposure if ransom demands are not paid. The tactic has been very effective at obtaining ransom demands that threat actors are engaging in data extortion-only attacks, threatening data exposure but not subsequently encrypting victim networks, as observed in ransomware attacks. Threat actor groups often maintain data leak sites where they will name victims and leak data when ransom demands are not met. 

Data exposed in these attacks could include personally identifiable information (PII), such as Social Security numbers, financial information, such as payment card numbers, or account information, such as usernames and passwords. This information is only valuable to the threat actors if they can view it and subsequently post it. If organizations encrypt sensitive data at rest and in transit, threat actors would have a much greater challenge weaponizing it to extort victims.

Recommendations

• Implement robust encryption by ensuring sensitive files are encrypted at the application or database level, with cryptographic keys stored separately from the data.
• Consider deploying a data loss prevention tool to detect, prevent, and manage the unauthorized sharing or transmission of sensitive data.
• Identity and access management (IAM) is vital in preventing unauthorized data access and exposure. If a threat actor obtains administrative credentials, they may be able to decrypt and view sensitive data. Enforce zero-trust and the principle of least privilege.
• Provide security awareness training that educates users about how to identify phishing emails to prevent them from exposing sensitive information or account credentials in response to a communication they misinterpret as legitimate.