10% of Ransomware Attacks Involve Data Theft Before Encryption

A number of threat actors are currently doing dual extortion attacks. They steal data before deploying the ransomware payload. The first to do this is a Maze ransomware gang, which threatened the victim to publish the data in case of not paying the ransom. The gang did publish the data on its web page in November 2019. A number of other ransomware gangs followed this tactic, such as REvil/Sodinokibi, NetWalker, and DoppelPaymer.

These groups often deploy ransomware after several days, weeks, or sometimes months following the first system breach. While waiting for deployment time, the attackers proceed laterally to access many systems and then appoint their attacks to bring about the utmost trouble. It is very likely that the systems of a number of healthcare companies are already compromised, even if the ransomware is not yet deployed.

These high profile ransomware gangs are targeting entities in industries that have a lot to lose from having their data published or sold, such as legal companies, healthcare organizations, and companies in the financial industry. These attacks usually get headline news, however, they just represent about 10% of successful ransomware attacks. Beginning January 1, 2020 until June 30, 2020, there were 100,001 ransomware attack reports to ID Ransomware and just about 11% or 11,642 submissions were about ransomware variants employed by groups well-known for stealing data before encrypting files.

Emsisoft remarks however that although a number of ransomware gangs notify the victim about stealing their data to boost the chances of getting ransom payment, some ransomware gangs are probably discreetly stealing information.

Emsisoft explained that all ransomware groups could exfiltrate information. Although certain groups discreetly steal information and use it to threaten the victim as extra leverage to get ransom payment, other groups probably discreetly steal it. Although groups stealing discreetly may not exfiltrate all the information that groups seeking to utilize it as leverage, they could extract information that obviously has considerable market value or could be used for attacking other entities.

Preventing Ransomware and Limiting Damage

The ransomware attacks will continue as long as they stay highly profitable and pretty low risk. Therefore, healthcare companies need to make a move to strengthen their protection against cyber attacks. To prevent attacks and minimize the resulting damage of successful attacks, Emsisoft gives healthcare organizations the following advice:

Use patches right away, control admin rights, set up multi-factor authentication, shut off PowerShell when not required, use network segmentation, use the internet and email filtering tools, and disable RDP if not being used and use securely if necessary. Workers should have security awareness training regularly. Service providers that are given access to healthcare data should undergo audits to be sure they are HIPAA compliant.