Different ransomware groups show distinct preferences for what data to leak, according to a Rapid7 study of two years of extortion leak sites.
"It seems to be very deliberate," said Erick Galinkin, principal AI researcher at Rapid7 and author of the report.
Conti leaked financial information in its first dump of data in 81% of attacks, according to the report, where Cl0p only leaked it in 30%. Cl0p leaked employee personal information in 70% of its first leaks, where Conti only leaked it in 27%. And REvil seemed to be down the middle, releasing each about half the time.
The release of client data and marketing information also varied.
REvil was the most likely for both (customer or patient data in 55% of first leaks, marketing data in 48%), followed by Conti (42% and 46%) and Cl0p (30% and 30%).
The Cl0p information was based on a more limited number of events and is more likely to vary — a few attacks waged differently and it could have the most of either — though more thorough changes would need to take place to change its relative position on PII and financial information.
Galinkin noted a few caveats: Leaks often carry more than one type of information, and actors are sometimes limited by the data they have access to rather than by their ideal strategy. If Conti cannot find financial information, it likely is not going to give up an attack.
Different types of information create different pressures on a company. Leaked personal information, either of employees or clients, can create arduous notification requirements, anger among an important group, and risk of class action lawsuits. Financial information creates pressure from investors and the potential embarrassment of business information coming out a company intended to keep secret.
While the attacks rarely disclosed intellectual property, that may have more to do with the industries most likely to be targeted than the whims of the actor. A healthcare clinic or school district is not likely to have much intellectual property to lose, noted Galinkin. But of 14 attacks on pharmaceutical companies, six leaked IP in the first data dump.
Over time many ransomware attacks have conformed to a narrow set of breach and movement strategies as affiliates learn what works and what does not. Galinkin is uncertain if a first choice of data to leak strategy will ever become standard across groups.
"I don't I don't know what would cause that," he said. "Because as it stands, a lot of people are paying ransoms. So it would have to be a significant enough number of people choosing not to pay ransoms after that initial disclosure layer that they would think 'We got to try something different because, you know, these folks are being successful and we're not.'"