Which Data Do Ransomware Attackers Target for Double Extortion?

Double extortion is one of the most prevalent ransomware tactics today. The attackers first exfiltrate sensitive information from their target before launching the ransomware encryption routine. The threat actor then demands a ransom payment in order to regain access to the encrypted assets along with an additional threat to publicly expose or otherwise release the data if the ransom demand is not met promptly.

The tactic has proved very effective given it undermines ransomware recovery strategies for organizations who planned to rely on data backups remediation options in the case of a ransomware attack. With double extortion, the options for organizations become more limited.

According to Help Net Security, only one ransomware gang was using the tactic back in 2019, but the successful leverage play was quickly adopted by other ransomware operators within just a year. By the end of Q1 2021, researchers observed the percentage of ransomware attacks that included threats to publish exfiltrated data if a ransom demand was not paid had increased to 77% of all documented ransomware attacks.

Common Data Types Targeted by Ransomware Attackers

This growth in double extortion raises an important question: what types of data do ransomware attackers tend to target for exfiltration to leverage for double extortion? It usually depends on the affected organization, but there are some common data categories that ransomware actors tend to target more than others. Provided below are four of those information types.

Protected Health Information

Protected Health Information (PHI) includes medical records, diagnosis details, and patient medical insurance data. Attackers target this data category because they know that healthcare organizations need anytime access to medical information to render patient care on a timely basis. Hence why they changed their tactics during the COVID-19 pandemic to include exfiltration of this kind of data.

Per the Wall Street Journal, ransomware actors began deploying their malware payloads more quickly inside the networks of healthcare providers than in those of other organizations at the height of the pandemic. Many of those attacks didn’t even involve the exfiltration of stolen data, malicious actors simply bet on victims agreeing to pay so that they could get their data back as quickly as possible.

Other Sensitive Personally Identifiable Information

Birthdates, physical addresses, and Social Security Numbers (SSNs) are some of the most common sensitive personal details. By targeting this type of data, ransomware actors can monetize the information and sell it on the dark web as part of a full identity profile. Buyers can then use that information to conduct different types of identity theft or fraud. For instance, they can use that information to file a fake tax return in a victim’s name. They can also use it to apply for a mortgage or open a bank account while impersonating the victim.

Alternatively, ransomware actors can leverage that information to conduct triple extortion schemes. Cl0p was one of the first ransomware gangs that engaged in this tactic, as noted by Bleeping Computer.

In an attack detected in March 2021, for instance, those responsible for Cl0p had sent out emails to the customers of their target informing them that they had stolen their personal information and that they intended to publish that data. The attackers then instructed the customers to write to the target organization and urge it to “protect [their] privacy” by paying the ransom demand.

Account Credentials

Consisting primarily of usernames and passwords, account credentials are important to ransomware actors. Attackers need those details to infect as much of a target’s network as possible. Indeed, in a previous blog on detecting complex ransomware operations (RansomOps™), we noted that the fourth stage of a typical ransomware attack involves malicious actors stealing credentials and to gain access to more of a targeted network.

The nefarious individuals ultimately use that access to move laterally across the network so that they can encrypt even more devices and thereby demand an even larger ransom amount.

Intellectual Property

Intellectual property includes new product releases and/or details that are integral to a victim’s line of business. As with the theft of sensitive personal details, ransomware actors can monetize a victim’s intellectual property on the dark web or hand it over to a state sponsor.

A competing organization can then purchase the information on the black market and use it to undermine the victim’s business objectives. Alternatively, a competing state government can use it to advance their own interests at the expense of the victim’s host country.

The Consequences of a Ransomware Attack

In a recent report, we found that organizations can suffer various consequences when ransomware actors succeed in encrypting and/or exfiltrating the data categories discussed above. Those effects include the following:

    • Loss of Business Revenue: Two-thirds of respondents to our survey said that their employer lost significant revenue following a ransomware attack.
    • Brand and Reputation Damage: More than half (53%) of survey participants indicated that a successful ransomware attack had damaged their employer’s brand and reputation.
    • C-Level Talent Loss: About a third of organizations reported losing C-Level talent as a direct result of a successful ransomware attack.
    • Employee Layoffs: Nearly three in 10 respondents told us that they laid off employees due to the financial pressures that followed a successful ransomware attack.
    • Business Closures: A quarter of respondents indicated that their employer temporarily closed the business after suffering a ransomware attack.

These findings help to explain why 81% of respondents told us that they’re highly or very concerned about the risk of ransomware attacks. They also highlight the need for organizations to keep their information safe.

The Cybereason Advantage Over Ransomware

The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.

The Cybereason operation-centric approach provides the ability to detect RansomOps attacks earlier and why Cybereason is undefeated in the battle against ransomware with the best prevention, detection and response capabilities on the market.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware attacks. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed