Data theft in ransomware attacks may change disclosure game

Many ransomware attacks aren't publicly disclosed. But as ransomware gangs continue to steal, encrypt and threaten to publicly release data, that may be changing.

The data theft and shaming tactic initiated by several ransomware groups, most notably Maze, has blurred the line between ransomware attacks and data breaches, forcing some enterprises into disclosing incidents when they would not normally go public.

Security researchers, analysts and IT risk assessors agree that companies most likely would not disclose a traditional ransomware attack unless legally required to do so. Jared Phipps, vice president of worldwide sales engineering for SentinelOne, said public disclosure of traditional ransomware attacks is rare. "I would say for every one ransomware incident that's disclosed, there's probably 100 that are not," he said. "A vast majority of ransomware attacks are undeclared because there is no data shaming involved."

But as attackers turn to stealing data and threatening public release on top of the ransomware attack, enterprises are left with fewer choices. While data shaming can lead to embarrassment for the victims, it's the data theft that ultimately compels them to go public.

Public disclosure is typically required when certain types of data are accessed or stolen, such as personally identifiable information (PII) and payment card industry (PCI) data.

Most U.S. states and many international regions have some form of breach disclosure requirement when personal and sensitive information of citizens has been accessed or revealed inappropriately, Rapid7 chief data scientist Bob Rudis said.

"Once attackers moved from encrypt and ransom to overtly steal, encrypt and threaten public disclosure (I say 'overtly' since it is likely many attackers who commit 'just' ransomware attacks also stole data) any organization who did not disclose the breach, in accordance with the regulations in the jurisdictions they operate in, would be liable to incur fines and other penalties so it is highly unlikely they would have tried to keep the theft and ransom breaches involving citizen PII private," Rudis said via email. "However, in the theft and ransom cases where company secrets and other data not involving citizen PII were stolen, many organizations have chosen to walk the fine line of not revealing the breach and just paying the ransom to avoid embarrassment."

A typical post on the Maze ransomware 'news' site will list the victim organization, URLs, network names and the amount of data stolen.
A typical post on the Maze ransomware 'news' site will list the victim organization, URLs, network names and the amount of data stolen.

According to Emsisoft threat analyst Brett Callow, companies used to be able to choose whether to disclose an incident, as well as the timing of the disclosure.

"Ransomware groups' name-and-shame tactics have now taken that decision away from them. Unless companies pay to avoid being listed on a leak site, incidents invariably become public knowledge very quickly. In fact, groups likely use this to their advantage as it puts additional pressure on companies to settle and settle quickly," Callow said.

Over the course of 2020, Emsisoft has seen a sharp increase in ransomware-data theft combinations. In March, the vendor published a blog post arguing that ransomware attacks should be treated the same as data breaches and victims should publicly disclose incidents immediately.

Unless companies pay to avoid being listed on a leak site, incidents invariably become public knowledge very quickly.
Brett CallowThreat analyst, Emsisoft

"Given that there's no legal requirement to disclose ransomware incidents (unlike data breaches, which must be disclosed) there's little motivation for companies to come forward and admit they've been hit with ransomware. Many ransomware groups -- including Maze, DoppelPaymer, Sodinokobi and Nemty -- have been using techniques that enable them to extract a victim's data to a remote server, where it can be processed, read and used however they deem fit," Emsisoft wrote in the blog.

Shifts in disclosure practices?

It's unclear if the new approach to ransomware attacks has fundamentally shifted how enterprises handle disclosure, especially since ransomware gangs like Maze often force victims' hands by publicly disclosing attacks for them. Rudis said a review of recent theft, ransom and shaming attacks suggests disclosure would have been required for a large percentage of victims. " The 'shaming' component would ultimately not have been a forcing factor and very likely only sped up the eventual disclosure timetable."

The recent trend of threat actors targeting larger companies that are required to make public disclosures may have skewed the perception of breach disclosure, according to Bill Siegel, CEO of Coveware.

"Public companies typically have to make some SEC or other public regulatory disclosure. Public companies were not really being targeted that much 18 months ago, so it's not 100% clear if the disclosures are because of the data exfiltration and name-shame boards, or just because larger companies with an actual duty to disclose publicly are being impacted," Siegel said.

While publicly traded companies are required to report incidents, it's the enterprises who aren't subject to other regulations that's telling. Several recent attacks committed by Maze ransomware affiliates, for example, have been against smaller, private companies. Alex Burkardt, vice president of field engineering at data security vendor Vera, said such attacks put companies that wouldn't otherwise disclose a ransomware attack in an awkward position.

"For publicly traded companies it's business as usual; they're going to report it anyway, but it gets more attention because ransomware is in the news," Burkardt said. "The ones who have brand damage at stake are more resistant to release negative information about the company proactively."

However, ending up on a ransomware gang's "news" site doesn't necessarily mean an organization will admit to an attack. For example, 3D imaging company Faro Technologies was listed on REvil's leak site in May. Threat actors claimed to have stolen several terabytes of Faro's corporate data and threatened to publish it online, but the company was subsequently delisted from REvil's site in early June after the cybercriminals announced they had a "buyer" for the data.

It's unclear who the buyer was. A Faro spokesperson told SearchSecurity last month that the company was aware of the REvil post and "we are continuing to review it." But since that time, Faro has made no public statements confirming or denying that a ransomware attack or breach took place.

"The typical reasons for a company being delisted are either that the ransom was paid or that the company requested delisting as a condition of entering into negotiations," Callow said.

A lack of public disclosure could land victims in hot water. For example, a class action lawsuit was recently filed against New York accounting firm BST & Co. CPAs LLC on behalf of patients from Community Care Physicians whose data was stolen from the firm and published to Maze's leak site. While BST first learned of the Maze attack on Dec. 7, 2019, the company didn't alert affected parties until Feb. 14, 2020; the lawsuit claims the accounting firm didn't provide patients with a prompt notification of the incident.

Nick DeLena, principal at DGC, a Boston-based accounting and consulting firm, said disclosure practices may depend on a variety of factors beyond the type of ransomware attack.

"If you're in certain regulated industries, the reporting requirements are very stringent, but we know most companies in the U.S. are not in those very regulated industries," DeLena said. "There's no explicit requirement, and then you're left to what states are regulating for disclosures. If you're hit and not in a regulated industry and in a relaxed state, maybe they aren't going report it because it would be bad for their reputation."

Bypassing backups

With the onslaught of ransomware attacks over the last decade, enterprises have turned to backup products and services to protect their data. But another challenge occurs when sensitive data is compromised and exfiltrated.

"The challenge that backup solutions and other proactive measures that help mitigate don't change the fact that if an attack compromises 10 medical records, there's still a HIPAA violation. If they release it, even if they have backups, that data is not supposed to be public, so the magnitude of the damage is the same," Burkardt said.

Stealing the data, no matter how efficient backups are, provides criminals with additional leverage and monetization options. "Should the company not pay the ransom, the data can be sold. In fact, it may be sold even if the company does pay," Callow said.

While some attribute the data theft and shaming tactics to better backup practices, Siegel believes that profit maximization was ultimately what motivated ransomware gangs to evolve.

"The increase in conversion rates is not because backups are better -- it's because that extra one company did not want to be on a name-shame site, so they paid even though they did not need decryptors from the threat actor," Siegel said. "In the first half of 2020, more companies that would not have considered paying considered it because of the risk of brand damage if they are named-shamed."

But Siegel believes the trend may have peaked. "Over the past few months, more and more companies that don't need decryptors are digging in their heels and realizing that the PR hit passes very quickly."

DeLena has also observed a shift. "Before it was 'We will never disclose because it will make us look bad,' but now everyone is getting hit," he said.

Threat researchers say it's unclear if incorporating data theft and exposure has been a net positive for ransomware gangs because it takes more time, effort and resources to achieve lateral movement, locate sensitive data and exfiltrate it without being detected. Phipps said the data shaming and exfiltration may even add more complications because now an incident is treated as a breach, which requires a more formal investigation and response and could delay payment for threat actors.

"I think the reason actors are doing it is because they are hoping for a higher payout, but they aren't getting the results they're hoping for," he said. "It's probably being counterproductive for what a threat actor is doing, but it is bringing awareness to the larger number of breaches that are happening."

But Phipps said ransomware attacks are still rising dramatically and more threat actors are embracing the tactic of data theft and shaming.

"It's very profitable. There's billions and billions of dollars. There's going to be a lot more investment and ingenuity," he said. "Maze is one type, but you're going to see more and more people trying to make money off of this."

Dig Deeper on Threats and vulnerabilities