Ransomware is the de facto threat organizations have faced over the past few years. Threat actors were making easy money by exploiting the high valuation of cryptocurrencies and their victims’ lack of adequate preparation.
Think about bad security policies, untested backups, patch management practices not up-to-par, and so forth. It resulted in easy growth for ransomware extortion, a crime that multiple threat actors around the world perpetrate.
Something’s changed, though. Crypto valuations have dropped, reducing the monetary appeal of ransomware attacks due to organizations mounting a formidable defense against ransomware.
Threat actors have been searching for another opportunity – and found one. It’s called data exfiltration, or exfil, a type of espionage causing headaches at organizations worldwide. Let’s take a look.
The threat to reveal confidential information
Information exfiltration is rapidly becoming more prevalent. Earlier this year, incidents at Nvidia, Microsoft, and several other companies have highlighted how big of a problem it’s become – and how, for some organizations, it may be a threat that’s even bigger than ransomware.
Nvidia, for example, became entangled in a complex tit-for-tat exchange with hacker group Lapsus$. One of the biggest chipmakers in the world was faced with the public exposure of the source code for invaluable technology, as Lapsus$ leaked the source code for the company’s Deep Learning Super Sampling (DLSS) research.
When it comes to exfil extortion, attackers do not enter with the primary aim of encrypting a system and causing disruption the way that a ransomware attacker does. Though, yes, attackers may still use encryption to cover their tracks.
Instead, attackers on an information exfiltration mission will move vast amounts of proprietary data to systems that they control. And here’s the game: attackers will proceed to extort the victim, threatening to release that confidential information into the wild or to sell it to unscrupulous third parties.
Exfil can be far more damaging than ransomware
For victims, it’s a serious threat because threat actors can acquire the keys to the safe. Competitors can use trade secrets to produce copies of products or aid in their R&D efforts or information that could lead to a costly public relations disaster.
Either way – public exposure of information can be a threat greater than ransomware because ransomware demand can be resolved by paying up (or by retrieving backups). Leaked information – well – that’s something that may be unfixable. It’s easy to see why threat actors can find extortion based on information leakage to be an even more attractive target than mere ransomware.
It’s worth noting that part of the drive for this type of attack also lies in the current state of world affairs which have created a strong demand for intellectual property transfer across opposing geopolitical lines. There’s also arguably greater leniency against actors attacking “the other side,” even when local judicial systems consider the attack a crime.
In for the long haul
There’s another theme that’s emerging in the exfil space. It’s interesting to note something that cybersecurity teams have known for a long time: for malicious actors, it’s beneficial for an attacker to stay undetected for an extended period of time.
Staying quietly, rather than flashing “you’ve been hacked” messages on computer screens, allows attackers to “see” more information flows in the network and to do more in-depth reconnaissance of systems after gaining entry.
More time in the network means attackers can identify more desirable targets than just a simple ransomware deployment. Patient threat actors could do far more harm; if they remain undetected.
Protective measures still work
What can organizations do to guard against extortion? Well, the same cybersecurity principles continue to count, even more so given the greater risk.
After so many years of alarming headlines, most organizations have deployed ransomware protection in the form of better backup strategies, more fine-tuned and granular data access, and better rules and monitoring for detecting unwanted file changes.
It’s made ransomware attacks harder, often acting as a deterrent against attackers simply looking for easy targets. Protecting against malware infections or information exfiltration starts with properly maintaining infrastructure.
Seamless patching remains at the core
That includes keeping systems up to date with the latest patches. It’s not just a guard against ransomware, of course: patched systems also close the easy paths to critical business information so that threat actors are not in a position to siphon off critical business information.
Suppose your organization is still relying on patching operations that involve maintenance windows. In that case, it’s worth considering whether patching is happening fast enough to protect your organization against information exfiltration threats.
Source: The Hacker New