Recent Ransomware Attacks Raises the Stakes for Data Exfiltration

Recent Ransomware Attacks Raise the Stakes for Data Exfiltration

March 04, 2020

Richard Cassidy

While still early in 2020, we’re already seeing high profile ransomware attacks that are leveraging new tactics  that were introduced in late 2019 that have increased the collateral damage for victims.

Threat actors are no longer content with just encrypting data and then asking for a ransom before they decrypt the information.   Instead, they’re exfiltrating the data during the attack and making a copy off site to extort money and conduct smear campaigns later.

Travelex, the world’s largest retail currency dealer, was the victim of this new type of tactic when they were attacked on New Year’s Eve by UNKN, a threat actor who utilized Sodinokibi to exploit a Pulse Secure VPN server vulnerability which Travelex had not patched.  UNKN was able to extract some of the data from Travelex’s systems.  UNKN wanted $6 million for the release of the information which Travelex declined to pay.  As a result, the adversary posted 5GB of Travelex data online which includes both financial and PII information increasing the risk of potential regulatory fines for privacy violations.

Travelex also had to take portions of their network offline for several weeks forcing the company to deliver its money changing services manually to customers and increasing operating costs.  In addition, shares of Travelex’s parent company, Finablr, dropped 12 percent after the attack and Bloomberg has reported that Finablr investors have sold off $75 million worth of stock.

From Mass Scale to Targeted Attacks

Targeted attacks such as Travelex are now becoming the preferred approach for sophisticated adversaries who realize they’re able to set higher ransom rates given the value of the data and the brand reputations of their victims.

Rather than relying on automation or social engineering, sophisticated criminals are taking their time to carry out reconnaissance to learn every aspect of an organization’s network system and defenses.  They’re able to break in using brute force passwords and escalating administrator privileges to gain access to critical data as well as access to the security tools that are supposed to protect their information.  These criminals are also in a position to delete local backups and prevent backups to the cloud making recovery from ransomware attacks much more difficult.

Government agencies are often prime targets and according to Barracuda Networks, they make up two-thirds of all known ransomware attacks.  Most recently, the City of Las Vegas was attacked during the early morning hours on January 7, 2020.  The timing was particularly challenging, as the City was making preparations for the start of CES, the Consumer Electronics Show, the largest tech show in the world.

Ransomware attacks on cities can be significant and as a result, some local governments have chosen to pay criminals to get access back to their systems rather than spending the money to rebuild lost information.  Fortunately, due to early detection by members monitoring the City of Las Vegas’s systems, the network was taken down and no data was lost.

Hospitals are also prime targets.  Enloe Medical Center in Chico, California, fell victim to a targeted ransomware attack on January 14, 2020.  The majority of the phone systems were affected by the attack.  In addition, the hospital was forced to reschedule elective procedures.  As precautionary measures to prevent any further impact, systems were removed from the network and Enloe Medical Center is running on back-up, offline protocol.  Fortunately, Enloe Medical Center claims that no patient data was leaked.

Defeating ransomware with threat intelligence

With the increasing sophistication of criminals and easy access to ransomware-as-a-service (RaaS) such as Sodinokibi, we can expect to see more attacks 2020.

The best defense against ransomware is a good offense through proactive prevention and mitigation. Behavioral modeling through user and entity behavior analytics is one of the most effective approaches.  The goal is to monitor certain behaviors on a regular basis in order to recognize what is normal behavior for users and devices on the network making it easier to detect unusual behavior that could be the result of a ransomware attack.  Typically a ransomware attack takes several stages, making early detection possible with the right solution.

The six stages in the ransomware kill chain begins with the distribution campaign.  Adversaries use techniques such as social engineering to trick users into downloading a dropper which initiates the virus infection and malicious code execution.  Next, during the staging phase, the ransomware embeds itself deep into the victim’s environment.  The ransomware has ample time to scan systems for files to encrypt.  Having identified target files, the ransomware begins its encryption process which can take anywhere from seconds to hours.  After the files are encrypted, a message is delivered demanding payment for the ransom.

Exabeam Security Management Platform allows you to monitor for the entire ransomware kill chain through each of the six stages. Leveraging your own file activity logs, registry tracking logs and security alerts, the Exabeam platform gives you detailed analysis of the attack, allowing you to quickly detect  the attack and prevent the ransomware from doing any harm.

To be better prepared against ransomware in 2020, I encourage you to read a recent blog post from our technical marketing team.

Recent DLPInformation Security Articles

Data Loss Prevention Solutions: Making Your Choice

Read More

Understanding Cloud DLP: Key Features and Best Practices

Read More

Data Exfiltration Threats and Prevention Techniques You Should Know

Read More

Security Breaches: What You Need to Know

Read More

Data Loss Prevention Tools

Read More

Recent Information Security Articles

7 Detection Tips for the Log4j2 Vulnerability

Read More

New CISO? 5 Things to Achieve In Your First 90 Days

Read More

5 Security Questions to Consider this Holiday Season

Read More

Our Customers Have Spoken: Exabeam named a 2021 Gartner Peer Insights™ Customers’ Choice for SIEM

Read More

What Is XDR? Transforming Threat Detection and Response

Read More