Ransomware warning: Now attacks are stealing data as well as encrypting it

Cyber criminals are increasingly bullying victims by threatening to leak data if they don't pay - and the problem is likely going to get worse, say researchers.

Why ransomware has become the biggest cyber threat to your network in 2020

There's now an increasing chance of getting your data stolen, in addition to your network being encrypted, when you are hit with a ransomware attack – which means falling victim to this kind of malware is now even more dangerous.

The prospect of being locked out of the network by cyber criminals is damaging enough, but by leaking stolen data, hackers are creating additional problems. Crooks use the stolen data as leverage, effectively trying to bully organisations who've become infected with ransomware into paying up – rather than trying to restore the network themselves – on the basis that if no ransom is paid, private information will be leaked.

Ransomware groups like those behind Maze and Sodinokibi have already shown they'll go ahead and publish private information if they're not paid and now now the tactic is becoming increasingly common, with over one in ten attacks now coming with blackmail in addition to extortion.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)  

Analysing numbers of submissions to ID Ransomware – a site that allows people to identify ransomware – researchers at Emsisoft found that, of 100,000 submissions related to ransomware attacks between January and June this year, 11,642 involved ransomware families overtly attempt to steal data – or just over 11%.

Organisations in the legal, healthcare and financial sectors are among the most targeted by these campaigns, based on the assumption that they hold the most sensitive data.

And researchers warn that the percentage of ransomware attacks that steal data could be even higher, because some will do it discreetly, potentially using the stolen information as the basis for additional attacks.

"All ransomware groups have the ability to exfiltrate data. While some groups overtly steal data and use the threat of its release as additional leverage to extort payment, other groups likely covertly steal it," said the blog post by researchers.

"While groups that steal covertly may not exfiltrate as much data as groups seeking to use it as leverage, they may well extract any data that has an obvious and significant market value or that can be used to attack other organizations."

The prospect of suffering a data breach in addition to a ransomware attack is worrying for organisations because, even if the network is restored, the leak can cause other problems with customers or regulators.

Exfiltration and encryption attacks will become increasingly standard practice and both the risks and the costs associated with ransomware incidents will continue to increase, warned researchers.

SEE: What is ransomware? Everything you need to know about one of the biggest menaces on the web

However, it's possible for organisations to avoid falling victim to ransomware in the first place – or at least limiting the damage it can do – by following some cybersecurity hygiene basics.

They include applying security patches to protect against known vulnerabilities, and disabling remote ports where they're not needed and segmenting the network to stop ransomware from getting in, or being able to spread quickly around the network if it does. Organisations should also use multi-factor authentication so even if passwords are known, they can't be used to gain access to other areas of the network.

Backups should be regularly made and stored offline, while organisations should also have a plan for that they'll do in the event of ransomware compromising the network.

MORE ON CYBERSECURITY