Data Exfil: The New and Darker Version of Ransomware Posted on September 21, 2022September 21, 2022 by Joao Correia Ransomware has become such a common threat over the last few years that companies anticipate coming face to face with an attack at some point. Nonetheless, victims’ lack of adequate preparedness still drives many of the attacks, while the high price of cryptocurrencies added fuel to the fire. Many threat actors worldwide jumped in on the ransomware action, driving rapid growth as companies opened the door to extortion through poor security, lackluster patch management, and backups that just don’t work. While ransomware isn’t going away anytime soon, it is somewhat losing its shine for criminals. This is partly happening because some organizations are getting better at defending their technology assets, and lower crypto valuations have reduced gains. While looking for another opportunity, threat actors have focused on something more dangerous than ransomware: data exfiltration. What could be a bigger threat than encrypting data….? Data exfiltration – or just exfil – is becoming a more common threat. We noticed its growing prevalence emerging earlier this year as we saw attacks at Microsoft, Nvidia, and other large tech firms. Take this year’s attack on Nvidia, for example. Threat group Lapsus$ entangled Nvidia in a complex exchange where the chipmaker was threatened with the public exposure of source code for its proprietary Deep Learning Super Sampling (DLSS) technology. If Nvidia’s code were published publicly, it would substantially undermine the company’s competitive position. And that’s what exfil is all about. Instead of focusing on encrypting data and threatening data loss, exfil attacks are about exposing consequential, private data to the public. The next step is similar to ransomware: the attacker proceeds to extort the victim, threatening to release the data to the public or to sell it to a third party. In fact, Seventy percent of ransomware attacks now involve a threat to leak the data exfiltrated by the ransomware. This was up 43 percent from the previous quarter, confirming that the threat of data exfiltration has rapidly become part of the new ransomware normal. In many cases, exfil is a much bigger threat In the tech sector, proprietary technology is the core competitive advantage. How this technology works – or the source code for it – is incredibly valuable. Competitors accessing trade secrets can completely undermine the company that initially developed the technology. And it’s not even just the proprietary technology itself – it’s confidential business processes, algorithms, conference call recordings… and this is relevant across all industries. It’s not difficult to see those malevolent actors that access this information can pose a genuine, very worrying threat – the threat to take away a company’s competitive advantage. It’s a much more significant danger than ransomware: lost data is lost data and no more. Often this data can be recovered to a degree, and practices are being put in place to reduce the impact of this type of attack. Leaked information, on the other hand, can cause much more damage. There’s a cross-border complicating factor to exfil too. Information exfiltration is increasingly the result of the complex state of the world today. There is a significant demand for the transfer of intellectual property from one country to the next – across competing geopolitical lines. Moreover, some countries might even be “lenient” to local threat actors that focus their attacks on the other side of the geopolitical line. Exfil has another interesting aspect One of the themes driving the information exfiltration game is how malicious actors are increasingly choosing to stay undetected for as long as possible. Cybersecurity teams have been noting this behavior for quite some time – where threat actors linger for a much longer time in a system before revealing their presence. It completely contrasts with past actions that took the approach of a “you’ve been hacked” message flashing across the screen. By taking this approach, the attacker has more time to observe how information flows across a network, doing more intensive reconnaissance – with more opportunities to find the juicy stuff. Quietly lingering for longer allows for more opportunities for harm. Just like ransomware, you can protect yourself against exfil The cybersecurity strategies against ransomware will also guard against exfil extortion – it’s just that organizations are now even more critical to take these measures. Many companies have ransomware protection in place – backup strategies and more finely-grained access to systems and data, for example. These measures still work against ransomware and will be a strong deterrent against attacks driven by information exfiltration. As we’ve suggested many times, that includes one of the most critical parts of cybersecurity risk management: keeping your systems patched consistently because patching closes many easy paths to a successful cyberattack. However, traditional patching that relies on maintenance windows won’t cut it anymore. It’s simply not sufficiently responsive against fast-moving threats. Instead, consider live patching from TuxCare. Our KernelCare Enterprise solution immediately protects your workloads against threats, eliminating the lag caused by maintenance windows – and reducing the opportunity for attackers to find a way in. Learn more about what KernelCare Enterprise can do here.