Which stolen data are ransomware gangs most likely to disclose?

If your organization gets hit by a ransomware gang that has also managed to steal company data before hitting the “encrypt” button, which types of data are more likely to end up being disclosed as you debate internally on whether you should pay the ransomware gang off?

Rapid7 analysts analyzed 161 data disclosures performed by ransomware gangs using the double extortion approach between April 2020 and February 2022, and found that:

• The most commonly leaked data is financial (63%), followed by customer/patient data (48%)
• Files containing intellectual property (e.g., trade secrets, research data, etc.) are rarely disclosed (12%) by ransomware gangs, but if the organization is part of the pharmaceutical industry, the risk of IP data being disclosed is considerably higher (43%), “likely due to the high value placed on research and development within this industry.”

The double extortion tactic

Ransomware data disclosures usually happen when the victim organization refuses to pay the ransom. First, the gangs disclose a sample of compromised data and, if the victim is still not convinced of the damages a full leak would bring, they disclose the rest and/or sell it.

Ransomware groups’ leak sites are usually set up on the dark web, but one group has recently published stolen victim data on the public Internet.

Data disclosure was pioneered by the now-defunct Maze ransomware group, but the approach has been adopted by other players in the ransomware market (REvil, Conti, Cl0p, etc.) because potential victims started investing more effort in making good backups.

Data disclosures depending on victim organization’s vertical

Victims in the financial services sector should mainly worry about customer data being released. It happened in 82% of the analyzed cases, while the average percentage for all disclosures across all sectors is 41%. Stolen employee PII and HR data, as well as finance and accounting data are also leaked often (59% and 50%, respectively).

Victims in the healthcare vertical have their finance and accounting data leaked in 71% of cases, and their customer and patient data leaked in 66% of cases. The analysts posit that the latter percentage is high because attackers are counting on the targets being concerned about the legal and regulatory consequences of patient data breaches. Also, detailed patient data is often misused by criminals for identity theft and other forms of fraud.

As noted before, organizations in the pharma vertical should worry especially about their IP being released, as well as their finance and accounting data (71%).

The analysts advise companies to make backups and make sure the data in them can be quickly restored, but to counter the data disclosure threat by using file encryption, rendering any files unreadable to unauthorized eyes, and to minimize attackers’ movements via network segmentation.

“Organizations can use these findings to assess which specific data assets should receive additional protection,” they added, and to prepare for the event of a ransomware data disclosure (e.g., preparing customer/patient notifications).