Chris Swagler | August 29th, 2022

Over the past few years, ransomware has been the primary threat that companies have had to defend against. Threat actors were profiting quickly by taking advantage of their victims’ unpreparedness and the high value of cryptocurrencies. Some specific areas with a high percentage of exploitation, including outdated patch management practices, inadequate security policies, and untested backups caused ransomware extortion to quickly expand. However, due to companies putting up a strong ransomware defense and crypto prices falling, the financial appeal of ransomware attacks decreased. Threat actors were then looking for additional opportunities and found one in data exfiltration.

Exfiltration of information is quickly becoming more common. Incidents at Nvidia, Microsoft, and other companies earlier this year showed how serious the issue has grown and how, for some businesses, it might pose as big a threat as ransomware. For instance, Nvidia and the threat group Lapsus$ got involved in a complicated tit-for-tat exchange. Due to Lapsus$ leaking the Deep Learning Super Sampling (DLSS) research source code, one of the largest chip manufacturers in the world had to deal with the public exposure of the source code for its valuable technology.

Exfiltration extortion attacks differ from ransomware attacks in which threat operators don’t enter with the main intent of encrypting a system and causing disruption. To cover their footprints, threat operators may use encryption. Threat operators on information exfiltration missions will transfer huge amounts of proprietary data to systems under their control. Threat operators will attempt to extort victims by threatening to sell or release victims’ private information to dishonest third parties.

Exfiltration poses a significant risk to victims since threat actors can obtain the safe’s keys. Competitors may utilize trade secrets to create clones of goods, advance their research and development, or provide knowledge that can result in a PR catastrophe. Public exposure of information can sometimes pose a bigger threat than ransomware because ransom demands can be resolved by making payments or by retrieving backups. However, leaked information is something that can’t be fixed, which is why threat actors find information leakage-based extortion to be an attractive tactic. The current state of global affairs, which has created a significant need for intellectual property transfer across opposing geopolitical lines, is what drives the motivation for this type of attack. Even when local judicial systems view the attack as a crime, there’s greater leniency against threat actors attacking the ‘the other side’.

Another theme appearing in the exfiltration space that cybersecurity teams have noticed is threat actors increasing their dwell time within a targeted environment. Staying covert allows threat operators to view more information flows in the networks and conduct more thorough reconnaissance of systems after gaining access, as opposed to flashing ransom notes on computer screens. Threat actors spending more time on networks can locate more valuable targets than simply deploying ransomware. Threat actors can cause more damage when undetected for longer periods of time.

Despite the greater risk, companies can prevent extortion by utilizing the same cybersecurity principles that protect against ransomware. Most companies have implemented security in the form of improved backup methods, more granular and fine-tuned data access, and stronger rules and monitoring for locating unwanted file changes after many years of alarming headlines. Infrastructure maintenance is the first step in preventing malware infections or information exfiltration. The maintenance can include applying the most recent patches to systems. Patched systems can not only protect against ransomware but close easy paths to critical business information preventing threat actors from stealing it. For example, some companies are still depending on patching procedures that require maintenance windows. It’s important to think about whether patching is occurring quickly enough to protect companies against threats including information exfiltration.

SpearTip defends companies against immediate threats with one of the fastest response times between threat emergence and mitigation. With the ShadowSpear Platform, our cutting-edge integrable security solution added to their cybersecurity arsenal, companies can implement the most important line of defense against threat actors looking for ransom demands from victims. Additionally, our certified engineers are continuously working in an investigative cycle at our 24x7x365 Security Operations Center monitoring companies’ networks for potential threats. With our pre-breach advisory services, we’ll examine companies’ security posture to improve the weak points in their networks and engage with their people, process, and technology to measure the maturity of the technical environment. For any vulnerability uncovered, our experts will provide a technical roadmap ensuring companies has the awareness and support to optimize their overall cyber security posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.