A staggering 91% of ransomware attacks now involve data exfiltration, usually to servers in China or Russia, marking a significant evolution beyond file encryption. This exponential increase in theft creates endless extortion possibilities, triggers legal action, enables individualized claims, and facilitates future infringements.
According to our 2023 Annual Ransomware Report, 91% of all ransomware incidents now involve some form of data breach, typically to servers in China or Russia. This marks a significant change from previous ransomware attacks, which aimed solely at encrypting files and demanding a ransom for decryption.
This makes traditional backup solutions ineffective for organizations when it comes to fully protecting against modern ransomware. Although backups can help restore encrypted files, they cannot recover data that has already been stolen for sale on cybercrime forums or dark web networks.
The only way to properly defend against this threat is to prioritize real-time solutions that focus on preventing unauthorized data transfer. Emerging next-generation technologies such as data loss prevention (ADX) enable the rapid threat detection and response needed to early stop anomalous data movements before sensitive information is compromised.
Here are four points we’ve put together to accurately depict how the landscape has evolved as a result of this trend.
Blackmail can last for years
Once data is exfiltrated during an attack, cybercriminals can continue to exploit it for further extortion long after the initial incident. Even if the initial demands are met and the ransom is paid, the threat often remains.
This allows ransomware groups to repeatedly attack and threaten the same victims, prolonging the timeline of damage.
A prime example is the 2015 Ashley Madison data breach. While not a ransomware attack per se, the results demonstrate the impact of data exfiltration very clearly. After dating site customer names and personal information were leaked online, cybercriminals used that sensitive data to stalk and harass individual victims for years.
Even after an initial breach, they can leak more information or threaten to expose affected individuals to their families and communities. This potential lifetime threat shows why proactive early intervention is needed in response to data breaches.
more legal action will be taken
Data breaches and identity theft often cause panic and anxiety among those affected. As a result, legal action may increase.
When personal records are exposed online, individuals are at increased risk of financial fraud and identity theft. The impact goes beyond individuals, as businesses can also be held liable if they don’t properly protect customer data.
As data leaks from ransomware attacks continue, we expect to see an increase in lawsuits from affected parties. Employees can also take legal action against employers who fail to protect their personal data.
From an attacker’s perspective, data encryption primarily poses problems for targeted companies. However, the greater the fallout from an attack, the greater the pressure and disruption it places on the organization. Public relations damage and legal liability can quickly add up when a violation affects a large number of customers or clients.
This forces companies to take swift action to mitigate attacks, often demanding hefty ransoms. In this sense, a large-scale attack creates broader confusion and urgency in resolving the incident.
The underlying incentive structure explains why attackers seek to compromise as much data as possible. The more victims there are, the more leverage the hackers have in extracting lucrative payouts. Data breaches are therefore not an accidental byproduct, but a deliberate strategy to create crisis-level stakes that force companies to cooperate.
Data exfiltration allows ransomware groups to tailor requests to each victim based on the value and sensitivity of the stolen content. For example, local governments may face higher ransoms if resident data is compromised compared to typical customer records stolen from retailers.
Ransomware Negotiation Chat provides transparency into this calculated strategy. Ransomware groups openly admit in their conversations that they first scope out data before deploying ransomware across systems.
This phase includes identifying the most important and sensitive internal data that will be exposed. Patient medical records, employee payroll files, customer personally identifiable information (PII), and intellectual property are high-value theft targets.
Stolen data facilitates future breaches
Beyond the initial extortion, compromised data can serve as fuel for secondary attacks using tactics such as SIM swapping, social engineering, and password reuse attacks. Even if organizations identify and contain the initial breach, the hard truth is that their data may resurface in future cyber incidents by the same or different criminal groups.
For example, if an employee’s credentials or passwords are stolen, they hold lasting value to an attacker. These can be sold on cybercrime forums or used directly by hackers to impersonate employees and infiltrate networks. Reproduction of this breach can occur months or years later, often catching businesses by surprise if previous incidents were not properly addressed or prevented.
When compared to data encryption, a single data breach should be considered the beginning of an ongoing crisis rather than an isolated event. The breach itself represents a single domino, potentially triggering a cascade of additional activities enabled by the compromised data.
Take the next step with BlackFog
BlackFog provides advanced ADX technology solutions to protect your network and keep your data safe. BlackFog uses behavioral analytics to proactively prevent data theft and give you an edge in the ransomware game.
Deploying BlackFog is a proactive measure to protect your organization’s data and prevent it from falling into the wrong hands. Don’t wait for a breach. Sign up for an evaluation today and strengthen your defenses with BlackFog.
