A Rapid7 report said ransomware attackers choose their targets purposefully in the hopes of maximising profits and minimising risks.
Financial data is leaked most often from ransomware attacks, according to a new report by cybersecurity firm Rapid7, followed by customer or patient data.
The company’s report aims to shed light on how ransomware attackers think, the data they value most and how they apply pressure to get victims to pay their demands.
The company focused on data disclosures, which commonly occur in ‘double extortion’ ransomware attacks. In these attacks, threat actors take the victim’s sensitive data in addition to encrypting it, which gives them extra leverage when demanding ransom payments.
Rapid7 investigated 161 separate data disclosures between April 2020 and February 2022 to identify common trends. The report found that 63pc of overall incidents across industries were finance and accounting documents.
Different targets for different sectors
“The sensitivity of each type of data varies by industry, and different groups may find certain types of data more sensitive than others,” the report said.
Roughly 82pc of disclosures linked to the financial services sector contained customer data, compared to 50pc containing internal company financial data. The personal data of employees and HR data was in 59pc of data disclosures.
In the healthcare and pharmaceutical sectors, internal financial data was leaked 71pc of the time, which is more than any other industry. The data of customers and patients was released in 58pc of the data disclosures in these sectors.
In the pharma sector, intellectual property files were more likely to be released in data disclosures than in other industries. Only 12pc of all disclosures studied included IP files, but 43pc of disclosures in the pharma industry contained these files.
Rapid7 said this is likely due to the high value placed on research and development within this industry.
“Ransomware attackers often choose their targets purposefully in the hopes of maximising their profits and minimising their risks and labour requirements,” the report said.
“They are more likely to choose targets that they believe to be more lucrative, easier to compromise, more likely to pay ransoms and more suitable for short-term extortion than long-term data collection.”
Defence from both angles
Rapid7 said that organisations should construct a strong defence against both lines of double extortion ransomware attacks.
While companies should back up their data to protect against the file encryption side of attacks, these do not protect against data disclosures. Rapid7 said file encryption and network segmentation will reduce the likelihood that attackers can move to data infrastructure that houses key assets.
The report said organisations should assess which data assets should receive additional layers of protection, based on the frequency the data type appears in ransomware data disclosures. Companies should also anticipate what type of files are most likely to appear if their data is leaked.
“For example, a bank or a hospital experiencing a ransomware incident should anticipate that any resulting data disclosure is likely to contain customer/patient data and take appropriate steps, such as preparing for customer/patient notifications,” the report said.
In February, cybersecurity authorities in the US, UK and Australia issued a warning on the increase of sophisticated, high-impact ransomware attacks. Their report noted that some ransomware groups began targeting “mid-sized victims” to reduce scrutiny and detection from authorities, particularly in the US.
There was a string of high-profile ransomware attacks last year targeting organisations that provide critical services, including the Colonial Pipeline, JBS Foods and Ireland’s Health Service Executive.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.