What data is most prized by ransomware attackers?

A new report by Rapid7 investigates the trend, pioneered by the Maze ransomware group, of double extortion, examining the contents of initial data disclosures intended to coerce victims to pay ransoms.

“Pain Points: Ransomware Data Disclosure Trends” reveals how ransomware attackers think, what they value, how they approach applying the most pressure on victims to get them to pay, and insights on the data threat actors prefer to collect and release.

With access to a network and holding that data for ransom, ransomware is now one of the most pressing and diabolical threats faced by cybersecurity teams. Causing billions in losses across most industries, it has stopped critical infrastructure like healthcare services in its tracks, putting at risk the lives and livelihoods of many.

Threat actors have upped the ante by using “double extortion" as a way to inflict maximum pain on an organisation. Through this method, not only are threat actors holding data hostage for money, but they also threaten to release that data (either publicly or for sale on dark web outlets) to extract even more money from companies.

In a first-of-its-kind analysis using proprietary data collection tools to analyse the disclosure layer of doubleextortion ransomware attacks, Rapid7 has identified the types of data attackers initially disclose to coerce victims into paying ransom, determining trends across industry and geography. Australia was positioned eighth in the rankings for distribution of ransomware incidents in the top 12 countries.

The report examined all ransomware data disclosure incidents reported to customers through its threat intelligence platform between April 2020 and February 2022, and incorporates threat intelligence coverage and institutional knowledge of ransomware threat actors. This analysis determined the following:

• The most common types of data attackers disclosed in some of the most highly affected industries and how they differ

• How leaked data differs by threat actor group and target industry

• The current state of the ransomware market share among threat actors and how that has changed over time

Overall, trends in ransomware data disclosures pertaining to double extortion varied lightly, except in pharmaceuticals, financial services, and healthcare. In general, financial data was leaked most often (63%), followed by customer/patient data (48%).

In the financial services sector, customer data was the most leaked, rather than financial data from the firms themselves. In the healthcare and pharmaceutical sectors, internal financial data was leaked some 71% of the time, more than any other industry. In the pharmaceutical industry the prevalence of threat actors to release intellectual property (IP) files stood out, where 43% of all disclosures included IP.

The report provides a clearer understanding of the state of ransomware threat actors. We can pinpoint the evolution of ransomware groups, what data the individual groups value for initial disclosures, and their prevalence in the market. The top five groups in 2021 made up 56% of all attacks, with a variety of smaller, lesser-known groups responsible for the rest.

While there is no silver bullet to the ransomware problem, there are best practices organisations can take to protect against threat actors and minimise the damage, should they strike. To download the latest Ransomware Report, visit. https://information.rapid7.com/rs/411-NAK-970/ images/Ransomware-Data-Disclosure-Report.pdf