Ransomware, Threat Management, Threat Intelligence

The data exfiltration deluge: we’ve lost the battle, but can win the war

Today’s columnist, Darren Williams of BlackFog, argues for a more proactive approach to security to prevent ransomware attacks like the one earlier this year on Colonial Pipeline. (Photo by Drew Angerer/Getty Images)

Despite organizations continuing to invest heavily in the latest cybersecurity technologies and the realization that AV software can’t defend against most new attack vectors, cyberattacks are at an all-time high. This year has witnessed an unparalleled number of attacks which have devastated infrastructure, governments and businesses alike, and are expected to cost more than $6 trillion globally. With access to so many cybersecurity tools, why are we losing the battle? Why are existing solutions so ineffective? 

We need to start by looking at the lifecycle of an attack to devise countermeasures to protect against them. Since the 1980’s, the general approach to attacks has not changed. The theory is pretty simple: Once an attack has occurred, identify the code that caused the damage and create a fingerprint (a signature in cybersecurity parlance). Store the signatures in a database and distribute it to all customers, and upon execution, check if it exists. If it does, prevent execution and remove the file. This was a great technique that worked well for many years until the threat actors developed fileless and polymorphic attacks (code that changes dynamically and has no signature).

Traditionally, the focus of cyberattacks was disruption and bragging rights, very few focused on the economics of making money directly from the endeavor. Until the rise of cryptocurrency in the early part of the century, it was difficult for cybercriminals to make money directly from an attack. Often it was state- sponsored attacks that fueled growth. The economics focused on the loss of business or the negative impact on stock prices from the attack or pump-and-dump schemes that influenced the price of stocks short term.

Cybercrime changed forever in 2013 when the first successful ransomware appeared. Dubbed CryptoLocker, it was enclosed as an email attachment and encrypted most files on the target device, offering to decrypt only when a ransom was paid. Thanks to cryptocurrency, the payments were virtually impossible to track. This was the beginning of a new era and one that continues to reach new highs every year.

In 2021 we have seen devastating attacks across the globe. The top attacks of 2021, such as CNA Financial, Colonial Pipeline, and JBS Foods helped raise awareness and capture the minds of governments and citizens alike. Ransomware attacks are now so prevalent that TV shows regularly develop plotlines around ransomware, recent examples include “The Good Doctor” and “9-1-1”.

Ransomware has also evolved from those early days. While initially focusing on encryption, it has now moved to triple and even quadruple extortion. These new attacks focus less on encryption, but rather other mechanisms of making money. The typical strategies these gangs employ to make money include:

  • Direct encryption: Encrypt files on the device and display a paywall which requires a cryptocurrency payment before decryption takes place.
  • Data Extortion: Instead of encrypting files, cybercriminals exfiltrate data from the device in the background, sending data to command and control servers in foreign countries such as Russia and China. A small sample of the files gets published on the dark web as evidence and made available for sale to other third parties.
  • Attack Notification: Prior to launching a cyberattack, ransomware gangs sell the information about a pending attack to third parties who can use the information to short stocks or any other means of making money from this advance notice.
  • Cryptojacking: In addition to stealing data, new ransomware variants also can mine cryptocurrency and effectively make money by hijacking the CPU of the host device. This lets cyber criminals make money while avoiding the massive energy costs associated with cryptocurrency mining. Because cryptojacking involves data exfiltration traditional security products often overlook it.

These new attacks are highly coordinated by well-resourced gangs that have business models and even channel operations like a traditional business. If someone wants to launch an attack, they can contact the gangs directly to license their software and provide a percentage of the ransom paid.

All of these new approaches involve some form of data exfiltration. For any of these attacks to succeed, data must be exfiltrated from the device. In fact, of the 244 reported ransomware attacks this year, 83.3% threatened to exfiltrate data.

New data from Osterman Research found that despite significant investment in tools like data loss prevention, organizations still struggle with cyberattacks and the prevention of data exfiltration. In addition, an overwhelming majority of respondents (62%) reported that they have weak confidence in their current solution’s ability to prevent data exfiltration or prevent ransomware (55%). This offers clear evidence that most organizations are missing an important piece in their approach to cybersecurity.

Existing technology has been ineffective in protecting what has arguably become a company’s most valuable asset: The data itself. It’s clear that the industry needs to do more to ensure that organizations can lock down their critical information in the face of mounting attacks. And it’s not just external cyber adversaries that pose a risk. The majority of organizations (59%) lack confidence in their current solutions ability to prevent insiders from exfiltrating data, and nearly half (41%) have experienced an employee’s mistake resulting in data exfiltration.

By having inadequate tools, companies will experience data compromises that can potentially damage their reputation. It’s critical to have a security strategy in place that can prevent data exfiltration and stop ransomware gangs in their tracks. Our current approach clearly isn’t working, so maybe 2022 is the year we finally shift the paradigm and get ahead of adversaries, rather than struggling to keep up.

Darren Williams, founder and CEO, BlackFog

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.