Introduction
The article explores the evolving tactics of ransomware gangs, focusing on the shift towards exfiltrating victims’ data rather than solely encrypting it. This contributes valuable insights into the decision-making dynamics of ransomware victims, shedding light on the nuanced factors influencing payment behaviours and the financial impact of data exfiltration. The findings provide a basis for strategic considerations to mitigate the impact of ransomware attacks, offering practical recommendations for organizational preparedness and regulatory measures.
Led by University of Twente researcher Tom Meurs and his colleagues, the study aims to understand the factors influencing victims’ decisions to pay ransoms and the subsequent impact on the ransom amounts paid by organizations.
While data theft and data exfiltration are frequently used interchangeably, it’s crucial to recognize the distinction between them. This differentiation holds significance for individuals tasked with safeguarding an organization’s data. Understanding each term elucidates the extent of their implications and broadens the spectrum of strategies available for safeguarding data.
What is Data theft?
Data theft is a comprehensive term encompassing any unauthorized access to and extraction of data. This encompasses various methods, ranging from technical measures to straightforward actions like pilfering a hard drive or duplicating a file onto a thumb drive.
What is Data exfiltration?
Data exfiltration denotes the method by which advanced cyber threats gain access to data and transmit it to a distant system under criminal authority. It is distinct from theft; instead, it pertains to the technical procedures employed to discreetly remove pilfered data without detection.
Evolution of Ransomware: Modern Threats Exfiltrate Data, Demanding a New Defense Approach
The threat posed by ransomware continues to grow and evolve. In contrast to earlier versions that simply encrypted victims’ data on-site, contemporary ransomware is more sophisticated. It now tends to locate and exfiltrate valuable data before encrypting the original files. Criminals behind modern ransomware demand payment for the restoration of encrypted data and threaten to publicly release the stolen data if the ransom is not paid.
Why Criminals Prefer Data Exfiltration Over Encryption
What is the compelling reason behind ransomware gangs opting to exfiltrate victims’ data rather than solely encrypting it? Those organizations pay more. Let’s explain this answer:
1- Data Exfiltration Increases Probability and Amount of Payment:
Tom Meurs, a researcher at the University of Twente, and his colleagues conducted a study to identify the factors influencing the decision to pay a ransom and the variables affecting the ransom amount paid by organizations. Their investigation, based on data from the Dutch National Police and a Dutch incident response organization covering 481 ransomware attacks between January 2019 and January 2023, revealed a crucial trend:
- Ransomware gangs opt for data exfiltration because organizations are more likely to pay when their data is compromised in this manner.
- The probability of payment is higher in incidents involving data exfiltration (40%) than those without (25%).
- – The average ransom amount is substantially more considerable (1.2 million euros) when data is exfiltrated, unlike incidents without data exfiltration (89,407 euros).
2- influence of Victims’ Preparations (nonavailability of Recoverable Backups):
- The decision to pay is linked to the victim organization’s preparations.
- Organizations with recoverable backups are 27.4 times less likely to pay ransomware attackers.
- Having reliable backups reduces victims’ need to comply with ransom demands.
3- Influence of Engagement of Incident Response (IR) Companies:
- Organizations consulting IR companies are more willing to pay as they seek expert guidance and assistance in recovering from ransomware attacks.
- The involvement of IR companies influences the decision to pay and may impact the ransom amount.
4- Influence of Other Factors Affecting the Ransom Amount:
Data exfiltration, insurance coverage, and the victim’s yearly revenue are key factors affecting the ransom amount.
- Insurance Coverage: Having insurance results in ransoms that are 2.7 times larger.
- Data Exfiltration: Incidents involving data exfiltration correspond to a 4.4 times increase in the ransom amount.
- Yearly Revenue: Each 1% increase in a victim’s yearly revenue causes a 0.12% rise in the ransom paid.
Data exfiltration, insurance coverage and the yearly revenue of the victim, on the other hand, are factors that affect the ransom amount a victim will pay (if they decide to pay)
Recommendations to Reduce Ransom Payments:
To reduce the profitability of ransomware attacks, the researchers propose actionable steps for policymakers and law enforcement:
- Emphasizing Backups: Policymakers and law enforcement should emphasize the importance of maintaining recoverable (offline) backups.
- Ransomware Attack Simulations: Encouraging companies to conduct ransomware attack simulations to enhance preparedness.
- Reduced Payments: Encouraging companies and cyber insurance providers to pay less in situations where the victim organization decides to pay to reduce the profitability of ransomware attacks.
conclusion
The evolving tactics of ransomware gangs, particularly the shift towards data exfiltration alongside encryption, present significant challenges for organizations and policymakers. The study led by Tom Meurs and his colleagues underscores the critical factors influencing ransom payment decisions and the financial impact of data exfiltration. Key findings indicate that organizations are more likely to pay higher ransoms when faced with data exfiltration incidents. Factors such as the availability of recoverable backups, engagement with incident response companies, insurance coverage, and yearly revenue also play pivotal roles in determining ransom amounts. To mitigate the impact of ransomware attacks, policymakers and organizations are urged to prioritize measures such as emphasizing the importance of backups, conducting ransomware attack simulations, and advocating for reduced ransom payments. These recommendations aim to disrupt the profitability of ransomware attacks and bolster organizational resilience against evolving cyber threats.
FAQs
Q1: What is the distinction between data theft and data exfiltration?
A1: Data theft involves unauthorized access and extraction, while data exfiltration refers to the covert removal of stolen data by cyber threats.
Q2: Why do modern ransomware gangs prefer data exfiltration over encryption?
A2: Organizations are more likely to pay higher amounts when data is compromised. The probability of payment is 40% with data exfiltration compared to 25% without, with an average ransom of 1.2 million euros.
Q3: How do victim preparations influence ransom payments?
A3: Organizations with recoverable backups are 27.4 times less likely to pay. Engagement with Incident Response (IR) companies increases willingness to pay, impacting ransom amounts.
Q4: What factors affect the ransom amount in a ransomware attack?
A4: Key factors include insurance coverage, data exfiltration, and the victim’s yearly revenue. Insurance results in ransoms 2.7 times larger, data exfiltration leads to a 4.4 times increase, and each 1% rise in yearly revenue causes a 0.12% increase in the ransom paid.