Rapid7 report examines use of double extortion ransomware attacks
New insight into how attackers think when carrying out cyber attacks, along with further analysis of the disclosure layer of double extortion ransomware attacks, has come to light.
The “Ransomware Data Disclosure Trends” report from Rapid7 involved researchers using proprietary data from the clear, deep, and dark web to find out more information on the types of data attackers disclose to coerce victims into paying a ransom.
The researchers further explored in detail the trend of double extortion. This was pioneered by the Maze ransomware group, causing harm to many. The method not only involves threat actors holding data hostage for money, but they also threaten to release that data (either publicly or for sale on dark web outlets) to extract even more money from companies.
The company says that threats and attacks like this have caused billions in losses across nearly every industry around the world and have also stopped the flow of critical infrastructure like healthcare services, therefore often putting lives at risk.
Using proprietary data collection tools to analyse the disclosure layer of double-extortion ransomware attacks, the Rapid7 research identified the types of data attackers initially disclose to coerce victims into paying ransoms.
The most significant changes were seen in the pharmaceutical, financial service, and healthcare sectors.
Financial data was leaked most often (63%), followed by customer/patient data (48%). When looking at the healthcare and pharmaceutical sectors in detail, internal financial data was leaked 71% of the time, more than any other industry. Customer/patient data breach was also a common problem, having been released in 58% of disclosures from the combined sectors.
Although now defunct, the Maze Ransomware group was responsible for 30% of these types of targeted attacks, with Conti and REvil/Sodinokibi groups picking up some of the perceived market share after Maze’s demise in 2020.
The top five groups in 2021 made up just 56% of all attacks, with a variety of smaller, lesser-known groups being responsible for the rest.
The report ends by offering a variety of things that companies can do to protect themselves in the long run and prevent further double extortion instances:
- It is suggested that companies go beyond backing up data and include strong encryption and network segmentation.
- That they prioritise certain types of data for extra protection, particularly in fields where threat actors seek out that data in particular to exercise extreme threat.
- There is an understanding that certain industries are going to be targets of certain types of leaks and ensure that customers, partners, and employees also understand the heightened risk of disclosures of those types of data and be prepared for them.