Getty Images/iStockphoto

50% of Ransomware Attacks Lead to Data Exfiltration; Payments Hit $234K

Ransom demands rose 31 percent from Q2 to Q3 2020, with an average of $234,000, while hackers threaten victims with extortion using exfiltrated data in nearly 50 percent of ransomware attacks.

Threat actors are increasing threats to breach victims through extortion attempts, as data exfiltration now occurs in nearly 50 percent of ransomware attacks. Meanwhile, ransom payments rose 31 percent in the last quarter, at an average of $234,000, according to the Coveware Quarterly Ransomware Report

The medium ransom payment averages $110,532. Researchers explained payment costs have increased, as hackers increasingly target larger enterprises and “large, big game payments continue to drag the averages up.” 

Improperly secured Remote Desktop Protocol (RDP) continues to be the primary vulnerability exploited by these attackers. The number of compromised RDP credentials has drastically increased in recent months, spurring a decrease in the price of dark web postings.

Phishing emails and vulnerability exploits are the other leading footholds used by ransomware hackers to gain access to a network. Hackers leverage these exploits to gain access to escalated privileges. Once they’ve obtained admin privileges, the company is then fully compromised, with data exfiltration and ransomware transpiring within hours or days. 

“Defending against ransomware that begins with email phishing or a CVE requires more nuanced and in-depth defense,” researchers noted. 

Extortion techniques also continue to find success, as hackers have realized the same tactics and procedures used to successfully target smaller companies are just as effective at companies with thousands of employees, researchers explained. 

And though the rise implies attacks are increasing in sophistication, Coveware does not believe that’s the case. 

“The biggest change over the past six quarters is threat actors now realize that their tactics scale to much larger enterprises without much of an increase in their own operating costs,” researchers wrote. “The profit margins are extremely high, and the risk is low.”  

“This problem will continue to get worse until pressure is applied to the unit economics of this illicit industry,” he added. “It is also possible that the influx of remote and work-from-home setups using RDP and other remote technologies allowed threat actors to leverage attack vectors that previously didn’t exist.”

Leading Ransomware Variants

The Sodinokibi variant led the pack with 16.2 percent of the market share, followed by Maze with 13.6 percent. However, the notorious threat actors have since closed their operations. 

Maze was the first group to popularize the double extortion attack method, which has pummeled the healthcare sector for more than a year. According to the research, it appears that Egregor and Sekhmet threat actors have since inserted Maze ransomware code into their variants. 

Coveware thus named Egregor the “heir apparent.” Brett Callow, a threat analyst with Emsisoft, recently told HealthITSecurity.com that the threat emerged in September. 

“Egregor appears to be a spin-off of Sekhmet, albeit far more active,” Callow said. “And like Sekhmet and multiple other groups, the actors behind Egregor exfiltrate data and use the threat of its release as additional leverage to extort payment. The group’s claimed victims include Barnes and Noble, Ubisoft, a subsidiary of Berkshire Hathaway, a medical equipment manufacturer, and a hospital.”  

“Ransomware attacks on healthcare providers and the healthcare supply chain have continued unabated through the pandemic and represent a significant risk to patients,” he added. "Unfortunately, there is no reason to believe that ransomware will become less of a problem any time soon and it’s almost certain that the healthcare industry will continue to be heavily targeted.”

Update and Correction: The original piece attributed an Egregor data leak to healthcare company, HMS Holdings. The data was later identified as HMS Fabrics. An HMS Holdings Spokesperson said in an emailed statement: "HMS Holdings verifies that the data posted by Egregor was not HMS Holdings’ data, nor was it the data of HMS Holdings’ clients." 

"HMS Holdings also confirms that it has not been contacted by Egregor or any similar party related to matters involving its data, security, ransomware or the like," they added. "HMS Holdings is HITRUST certified and has received numerous awards for its security protocols.”

Double Extortion

To Covewave, hackers leverage the threat of releasing exfiltrated data as a “monetization conversion kicker.” 

In the past, ransomware victims could restore data from adequate backups. But with the increase in data exfiltration, even victims with restorable backups are compelled to engage with the attackers to see what data was taken from their network. 

Further, data exfiltration may have reached a tipping point: Coveware has seen a “fraying of promises of the cybercriminals,” even when a victim decides to pay the attacker with assurances that the data will be deleted. 

Researchers have publicly observed several hacking groups publicly doxing victims, even after a ransom demand payment. Some have even demanded a second extortion payment from victims that previously paid to have the data deleted and not leaked. 

The stats are concerning, particularly in healthcare, where several extorted providers have admitted to paying the ransom demand to ensure the stolen data is returned. Recent examples include the University of California San Francisco and the massive Blackbaud ransomware hack. 

Coveware data shows Sodinokibi re-extortion efforts occur weeks after the initial incident, with later threats to post the same data set. Meanwhile, Maze, Egregor, or Sekhmet leak data before the victim understood their data was taken from their network.

Netwalker and Mespinoza also posted data from companies that previously paid for the data not to be leaked. But perhaps most concerningly, Conti threat actors actually show victims fake files as proof the stolen data was deleted. 

Conti threat actors have repeatedly attempted to extort healthcare providers, often nonprofits that provide low-cost mental healthcare services, including Riverside Community Care in Massachusetts, a behavioral healthcare and human services provider, including child and family services, and West End Medical Center, now operating as Family Health Centers of Georgia, a nonprofit community health center and primary care medical home. 

While there are always valid reasons to pay ransom demands in an effort to prevent data from being leaked, Coveware researchers stressed that there are elements breach victims should first consider. 

“The data will not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a second, future extortion attempt,” researchers wrote. “Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end.” 

“Stolen data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future,” they added. “The data may get posted anyway by mistake or on purpose before a victim can even respond to an extortion attempt.”

Next Steps

Dig Deeper on Cybersecurity strategies