Cyber criminals are shifting their focus. Adversary groups are taking it one step further in a cyberattack. When stealing data, these adversary groups are no longer satisfied with only encrypting your network, they want to make sure there is plenty of information to force a large payout. Some of the adversary groups who have begun to adopt this new technique are Maze, Dopplepaymer and Clop. According to Coveware (a ransom extortion company) data exfiltration cases accounted for 9% of overall cases in Q1 2020.

Data exfiltration is the act of cyber criminals stealing data in order to make a victim more likely to pay the ransom regardless of their ability to restore their data through backups. Ransomware is typically still occurring, but the way adversary groups play the field have become more sophisticated. When a ransomware breach takes place, the data of the victim is encrypted so it can’t be retrieved without paying a sum of money or having proper backups. Many companies with proper offsite backups, who have heeded SpearTip advice in the past, can restore from these events, but the automated data exfiltration brings a new shift to the market where backups alone are not enough to protect your company image.

This cyberattack is becoming the norm lately. It is a way for the cybercriminals to blackmail the victim to essentially pay the ransom. The typical attack lifecycle consists of the original compromise (typically through an open port on the firewall or a firewall vulnerability such as the recent Sophos vulnerability) followed by privilege escalation to gain administrator privilege on a machine, then the automated pulling of specific data from both file shares and end user computers, and finally the encryption process once the pulled data is safely in the attackers hand.

The adversary group will then hold the data, and in the cases SpearTip has encountered, the adversary group will not release the data on their website if the company pays. If the company does not pay, typically within 14 days, the data is released and news of the breach comes in with it.

How your company crafts a response and gains information within those 14 days is critical. Having a great cyber insurance policy is the first step in a quick reaction to the incident. As well as a legal team who specializes in data breach response and of course a forensics team to investigate the situation. Without proper forensics you would never know whether your environment was compromised or not. Forensics teams are trained to quickly identify the variant of malware and finding the full scope of the compromise.

This shift in adversary groups moving to extortion along with encryption is not going away. SpearTip has been tracking these groups for the last 8-12 months, and it is our belief this will only get more prolific and potentially begin to skip the encryption phase due to the value of holding data over a company’s head.

For more information on how to prepare for an event like this, visit or email [email protected] to speak with a cybersecurity professional.

24/7 Breach Response: 833.997.7327