Critical Data Disclosure Trends in Double Extortion Ransomware Attacks

By Paul Prudhomme, Head of Threat Intelligence Advisory at Rapid7 

The proliferation of ransomware has posed a significant threat to organisations across all industries. Attacks have increased by 80% year-over-year, hitting a record high in 2022. If the problem wasn't alarming enough already, threat actors are now using a double-extortion strategy to ramp up their profits and put more financial pressure on organisations. 

Last year, the number of ransomware attacks making use of double extortion increased by over 500%. This technique, which sees attackers often taking a two-stage approach to disclosing data in their possession, occurs when victims initially refuse to pay the ransom and attackers feel they need to put added pressure on them to do so.  

Double extortion poses several risks for victims, including loss of customer trust and competitive advantage. Victims also run the risk of becoming a target again in the future if they pay the ransom, or if any leaks include data that could facilitate future attacks. 

Rapid7 recently conducted an investigation to identify the types of data and assets that are mostly targeted and disclosed in such attacks. We also explored the different types of cybercriminal groups that use double extortion, and how their activities have evolved over the last few years. These findings can help organisations to understand which assets should be prioritised in their security strategy to mitigate the impact of double extortion.  

Understanding double extortion attacks  

Traditionally, we’ve seen ransomware attackers breach an organisation’s network and encrypt critical files and data. Attackers then privately demand a hefty ransom in exchange for the encryption keys to regain access to the data.  

Double extortion tactics, however, build an extra element into such attacks, as threat actors first exfiltrate a copy of the victim’s sensitive data before encrypting it. The actors then threaten to disclose the compromised data if victims refuse to pay an additional ransom. This tactic means that organisations not only have to worry about regaining access to their critical files, but they also must be concerned with their data being leaked.  

The most common data disclosure trends in double extortion ransomware attacks  

Our research found significantly different data disclosure trends among various industry sectors. Collectively across all industries, financial data was leaked most frequently, in about 63% of all attacks. This included critical internal finance and accounting documents. Given that financial data is the backbone of any business, it is easy to understand why this information is frequently targeted.  

The second most disclosed data was customer/patient information, which was leaked in 48% of all attacks. Consumer data is the essence of digital businesses, and certainly the most valuable asset for any organisation. Customers trust businesses with their confidential data and if this information falls into the wrong hands, businesses lose their credibility and their reputations suffer. Exploiting this fear helps threat actors to double down on their ransom demands and leaves the business with seemingly no other option than to pay up.  

Moreover, both financial and customer data have a greater utility for criminals. Attaining such information allows attackers to launch wider criminal campaigns such as identity theft and fraud. 

Distinctive trends in finance and healthcare 

Although collectively, financial and customer data disclosures were most prevalent across all industries, we observed that threat actors prioritised both types of data differently in each industry.  

In the financial services sector, customer data appeared most frequently, in about 82% of all disclosures. The financial services sector as a whole depends heavily on the perceived trustworthiness of financial institutions and their ability to protect customer data and funds. The data found in our research suggests that the attackers responsible for these disclosures chose to emphasise customer and patient data in order to undermine that trust and put more pressure on them to pay up. 

On the other hand, financial data was exposed more prevalently in the healthcare and pharmaceutical industry. Nearly 71% of the disclosures in the industry included financial data. In second place was customer or patient data, which appeared in 58% of disclosures. 

Given that healthcare and pharma companies are under constant scrutiny from regulatory agencies, any sensitive data leak can have severe legal and regulatory consequences; these organisations are more likely to pay up than have their confidential patient data disclosed.  

The prevalence of different ransomware groups  

Whilst there has been a significant change in the number of data disclosures in the last two years, there has also been a notable transformation in the actors committing these crimes. 

The market share of data disclosures significantly changed between 2020 and 2021. In 2020, the Maze Ransomware group was the most active, responsible for 30% of all data disclosure ransomware incidents in our sample. They were also the group responsible for the first-ever high-profile incident of double extortion.  

However, the demise of Maze at the end of 2020 saw many small threat actor groups getting into the double extortion business. In fact, the top five ransomware groups made up just 56% of all attacks in 2021, and new and lesser-known groups were responsible for the rest. Ransomware gangs such CL0P, DarkSide, and RansomEXX increased their share of the market after Maze halted its activities.  

The collapse of Maze created a vacuum which many smaller ransomware gangs attempted to fill. 

It is also important to note that some of these ransomware gangs had very distinctive profiles, in terms of their targeting and disclosure trends. For example, REvil/Sodinokibi mostly disclosed sales and marketing data, while Conti mainly focused on finance and accounting data. 

Each ransomware group may have a completely distinctive style of ‘branding’ data disclosures; however, they are after the same goal, and that is to get paid. Therefore, businesses need to implement certain security procedures to prevent their own data being leaked or being used as leverage against them. Organisations cannot stop themselves being the target of ransomware, but they can stop themselves from being the victim. 

Getting ahead of ransomware and double extortion attacks 

The discussed insights into data disclosure trends and active ransomware groups can help organisations to identify which assets need more definitive protection. Once an accurate outline of the critical assets and systems has been established, it is time to implement effective security procedures.  

Firstly, organisations should construct lines of defence against both layers of double extortion ransomware attacks. This means building defences around both encryption and data exfiltration. Backups have historically provided the most effective defence against holding encrypted files for ransom, as the victim can restore the encrypted files instead of paying the ransom.  

However, backups do not protect against data disclosure. Organisations should additionally implement measures like file encryption and network segmentation to reduce the likelihood of data exfiltration and the resulting leak. File encryption renders critical files unreadable to unauthorised users, whilst segmenting the network across several layers can significantly hinder an attacker's ability to move laterally across the IT infrastructure, thereby making it more challenging for the attacker to access or exfiltrate critical data.  

Furthermore, when implementing file encryption and network segmentation, organisations should prioritise the specific data types most coveted by ransomware gangs targeting their sector.  

Finally, businesses should have an effective response and remediation plan in place to stay prepared for whatever adverse consequences might occur as a result of data disclosure.  

Whilst there is no silver bullet to the ransomware problem, these discussed practices are the silver linings that can help organisations to protect their critical assets and minimise the damage of such attacks, should they strike.