What is Data Exfiltration and How Can it Harm Your Business?
When it comes to ransomware, most decisionmakers focus on reversing malicious encryption. However, hackers know when they're on to a good thing. If a victim will pay a ransom once, why not twice?
In addition to attacking and encrypting backups, recent ransomware introduces another feature - exfiltration.
What is Exfiltration?
Traditionally, exfiltration means ‘to withdraw (troops or spies) surreptitiously, especially from a dangerous situation'. But in 2024, what does that have to do with your data?
As well encrypting data, certain ransomware variants, like MountLocker, Nefilim and DoppelPaymer, also export data from an infected network. Data is copied and sent to a remote server controlled by the ransomware gang before encryption begins. The process is silent and largely invisible, hence ‘exfiltration’.
How Does Exfiltration Harm Your Business?
Ransomware threat actors are out to make money from their victims. Which means that the effects of exfiltration are always harmful. Here’s a few to consider:
Double Extortion
The main reason for data exfiltration is to potentially double the size of ransom payouts. In a double-extortion attack, victims are first asked to pay a fee to access the decryption key for their data. Once paid, they are then informed that the hackers have also acquired sensitive data belonging to their victim. If the victim wants the data returned, they must pay a second ransom.
What happens if you don't pay the ransom? Hackers may sell the data, or leak it online. And there is always a risk they will do it anyway, even after receiving a second ransom payment.
Regulatory Breaches
When exfiltrated data contains personally identifiable data (PID), your business may be prosecuted by data protection authorities. Regulatory breaches can carry stiff penalties, with fines reaching £17.5 million or 4% of global turnover.
Cyber security insurance may offset some of the headline costs, but coverage may vary.
Compromised IP
Aside from PID, your business holds plenty of confidential information. Among the highest-value - to both you and hackers - is any intellectual property (IP) your business owns.
Stolen IP may be sold to unscrupulous competitors or leaked online. And once that's out in the open, you can't put the genie back in the bottle.
Your IP can be used by competitors to improve their own products. Should this happen, the effects on sales and revenue could be catastrophic. You may have to pull product lines and features and may experience a loss in competitive advantage or market share.
Damage to Reputation
Data breaches of any kind will dent customer confidence. 69% of people would avoid a company that had suffered a data breach, even if it offered a better deal than competitors. And 29% said that if their data was compromised, they would never use that business again.
Restoring trust after a data exfiltration event is costly, may take considerable time and is likely to result in customer complaints and losses.
Class-Action Lawsuits
Some customers may go further than a simple boycott. Individuals may seek financial compensation through the courts, suing your business for allowing data to be exfiltrated. In some jurisdictions, particularly the US, you may find yourself on the receiving end of a class-action lawsuit.
If the courts find your business liable, the penalties can be substantial. And that's on top the fines already levied by data protection authorities. With this in mind, it's little wonder that the total cost of ransomware attacks can run into millions.
The Damage Data Exfiltration Can Cause
While hackers are only concerned with securing a second payout, the knock-on effects of ransomware data exfiltration are significant. For businesses with no or ineffective backup strategies, recovering data following a ransomware infection can take weeks. Operations and productivity will be negatively affected throughout.
But it's the longer-term challenges that may have the hardest negative impact. Regulatory fines for illegal data losses are unavoidable - and expensive. Lost market share may never be recovered, especially if your own IP is used against you. And the damage to customer trust will only make that task harder, reducing revenue for an extended period following a breach.
How to Stop Ransomware Exfiltrating Your Data
There are two important points about ransomware-enabled data exfiltration.
Firstly, the process is typically slow. Your IT team would quickly notice a series of very large data transfers to an unknown location and block traffic. This means that hackers must steal data little and often to avoid detection.
Secondly, because they can only take limited amounts, hackers will try to identify and target the most sensitive, valuable data they can. This tends to result in relatively small amounts of data being stolen and ransomed.
When it comes to ransomware data exfiltration, prevention is always better than cure. Securing endpoints against malware infection is a critical starting point. However, ransomware continues to infiltrate corporate IT defences, so you also need to be prepared.
Your next step is to have a robust disaster recovery strategy in place. Being able to recover data quickly and reliably is critical to reducing downtime. It'll also play a pivotal role in helping to prevent the spread of ransomware inside your network.
Ultimately, accelerating recovery and containing spread will determine how much data hackers can exfiltrate. And as always, the less they can steal, the lower the impact on your operations.
Join our Webinar: How To Protect Your Backups from Ransomware
Find out more about mitigating ransomware threats - join our webinar on Wednesday May 22nd at 14:30 BST (London) / 09:30 EDT (New York), when we'll welcome special guest speaker and cyber security expert James Bore of Bores Group and offer practical guidance on keeping your backups safe from ransomware.
Don't Pay The Ransom! What The Experts Say About Responding To Extortion
6 Ways to Build your Ransomware Resilience
