Ransomware attacks: This is the data that cyber criminals really want to steal

There are certain types of data that criminals target the most, according to an analysis of attacks.
Written by Danny Palmer, Senior Writer

Data theft and extortion has become a common – and unfortunately effective – part of ransomware attacks, where in addition to encrypting data and demanding a ransom payment for the decryption key, gangs steal information and threaten to publish it if a payment isn't received. 

These so-called double extortion attacks have become an effective tool in the arsenal of ransomware gangs, who leverage them to force victims to pay up, even in cases where data could be restored from offline backups, because the threat of sensitive information being published is too great. 

Any stolen data is potentially useful to ransomware gangs, but according to analysis by researchers at cybersecurity company Rapid7 of 161 disclosed ransomware incidents where data was published, some data is seen as more valuable than others.

SEE: How to keep your bank details and finances more secure online 

According to the report, financial services is the sector that is most likely to have customer data exposed, with 82% of incidents involving ransomware gangs accessing and making threats to release this data. Stealing and publishing sensitive customer information would undermine consumer trust in financial services organisations: while being hacked in the first place would be damaging enough, some business leaders might view paying a ransom to avoid further damage caused by data leaks to be worth it. 

The second most-leaked type of file in ransomware attacks against financial services firms, featuring in 59% of disclosures from victims, is employee personally identifiable information (PII) and data related to human resources.  

By targeting this information, the attackers could undermine the trust staff have in their employers, particularly if they think their personal information could end up published and accessible to cyber criminals, who could use it for fraud and other cybercrime.

Another industry that commonly finds itself the target of ransomware gangs is health and pharmaceuticals.

In this scenario, internal finances and accounting data is the data most commonly exposed in ransomware attacks against healthcare, occurring in 71% of examined incidents. Customer and patient information is also commonly exposed in ransomware attacks – the researchers suggest it happens in 58% of incidents. 

Health data is extremely personal and something that most people won't want exposed online. Criminals know this fact and use it to pressure healthcare providers into paying ransoms.  

The combination of the sensitive nature of this information, plus the fact that hospitals and health services are vital and need to be up and running, means that healthcare remains a common target for ransomware attacks. 

SEE: Cloud computing security: Five things you are probably doing wrong

Ransomware continues to pose a threat to organisations of all kinds and while, as researchers suggest "there is no silver bullet to the ransomware problem", there are steps that organisations can take to mitigate the threat. 

According to Rapid7, these steps include regularly backing up data and storing it offline, encrypting sensitive information, and applying network segmentation, so any intruders into the network can't easily move around it. 

Protections like using multi-factor authentication across the network and the ability to spot potentially suspicious activity before damage is done can also help protect organisations from ransomware and other cyberattacks. 


Editorial standards