As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has been released when the victim doesn’t pay up. If this becomes the norm – and it looks like it will – victims will need to consider all ransomware attacks as possible data breaches.

Ever since the Maze ransomware operators realized they could increase the odds of collecting the ransom by leaking data, many other ransomware groups have started following suit.  In the latest variant to be seen using this tactic, the attackers basically guarantee they can decrypt the files if you pay (proof provided on two random files.) But at that point, the data is already stolen.

While the attackers will only steal a segment of the data they encrypt – a few GB, random emails, etc. – the victim will likely have no idea which portion of the encrypted files were stolen and will have to consider all data that was accessed as “breached”, unless they can assess that there is a reasonably low risk that certain data was not extracted.

As security professionals we strive to prevent the attackers from compromising our organizations in the first place.  But in the event they are successful, following is a sample of additional controls that can be implemented to better detect data exfiltration:

  • Content filters: filters on outgoing traffic can be configured with white-listing/black-listing rules to restrict traffic to known bad (by reputation or by content) sites/IP addresses. They can watch common exfiltration channels such as DNS tunneling, FTP and HTTP and can be configured to alert on and/or automatically stop unusual patterns of data transfer. Content filtering is offered as a standalone service, but it is also a feature included with many secure gateway solutions.
  • SIEM: Security Information and Event Management solutions act as centralized collectors of logs from multiple sources. Consider deploying a SIEM inside your organization and feeding it as many logs as are useful. In order to get the value out of a log collection/analysis solution it must be monitored 24/7/365 by qualified personnel.  Unless your organization is large enough to employ its own security team, consider a managed solution from a reputable service provider.
  • Endpoint Detection and Response (EDR) solutions: These solutions are designed to stop attackers in the first place, but they also alert on potentially malicious activity with continuous monitoring. For example, if your EDR solution lights up because it sees a number of nodes being hit with Emotet – a malware precursor to a ransomware attack that generally steals credentials, but can also steal email – you could be under attack, and should check all endpoints to confirm you don’t have one that might be leaking data (like the “road warrior” salesperson whose laptop is rarely on the network, and always seems to be behind a little on updates…)
  • Deep Packet Inspection (DPI) and Watermarking: For the more advanced organizations out there, you can embed a watermark or ‘digital signature’ that can alert a packet-inspection solution that certain files are being sent out of the organization. In order for this to have value you’d want to be selective and/or have various different watermark labels (for example “internal confidential”, “PII”, etc.) and ensure your watermarks are “permanent.”
  • Honeytokens: similar to the honeypot concept, a honeytoken is the same concept, but as a URL. You can implement honeytokens for free at; some cool tricks for using them in a honeyfile (a file that appears to be highly valuable, but is in fact deceptive bait), databases, links and other traps can be found here.  While honeypots/files/tokens are primarily an intrusion detection tool, if the target can be accessed then it – and anything else at that access level/in that container – can likely also be exfiltrated.

In addition to these controls, as noted in this blog post last month, organizations that fall victim to ransomware should engage experienced outside counsel to commence an internal investigation and to:

  • Retain technical consultants to engage with the threat actors as necessary, determine what data was exfiltrated, manage the decryption process, recover and remediate impacted systems, and eliminate the risk of reinfection.
  • Leverage relationships with law enforcement to cross-reference elements of the ransomware with databases and obtain helpful information.
  • Work with insurers to determine whether and how coverage applies (i.e., cyber risk, kidnap and ransom, cyber extortion, or various other cybercrime policies).
  • Establish separate lines of communication for key personnel in case normal lines of communication are compromised during negotiation, decryption and/or recovery phases.
  • Provide advice relating to what, if any, legal obligations have been triggered by the exfiltration of data and the deployment of ransomware.