Hyland 160x1200

Hyland 160x1200

Hyland 705x108

Sunday, 03 July 2022 14:14

New Report Shows What Data Is Most at Risk to and Prized by Ransomware Attackers

By Rapid7

A new report reveals how attackers think, what they value, and how they apply the most pressure on victims. The report released today by Rapid7 investigates the trend, pioneered by the Maze ransomware group, of double extortion, examining the contents of initial data disclosures intended to coerce victims to pay ransoms.

Titled “Ransomware Data Disclosure Trends”, it reveals a story on how ransomware attackers think, what they value, and how they approach applying the most pressure on victims to get them to pay, providing insights on the data threat actors prefer to collect and release.

With access to a network and holding that data for ransom, ransomware is now one of the most pressing and diabolical threats faced by cybersecurity teams. Causing billions in losses across nearly every industry around the world, it has stopped critical infrastructure like healthcare services in its tracks, putting the lives and livelihoods of many at risk.

In recent years, threat actors have upped the ante by using “double extortion" as a way to inflict maximum pain on an organisation. Through this method, not only are threat actors holding data hostage for money, but they also threaten to release that data (either publicly or for sale on dark web outlets) to extract even more money from companies.

In a first-of-its-kind analysis using proprietary data collection tools to analyse the disclosure layer of double-extortion ransomware attacks, Rapid7 has identified the types of data attackers initially disclose to coerce victims into paying ransoms, determining trends across industry. Australia was positioned eighth in the rankings for distribution of ransomware incidents in the top 12 countries.

The report examined all ransomware data disclosure incidents reported to customers through the company’s threat intelligence platform between April 2020 and February 2022, and also incorporates threat intelligence coverage and institutional knowledge of ransomware threat actors. This analysis determined the following:

  • The most common types of data attackers disclosed in some of the most highly affected industries and how they differ

  • How leaked data differs by threat actor group and target industry

  • The current state of the ransomware market share among threat actors and how that has changed over time

Finance, pharma, and healthcare

Overall, trends in ransomware data disclosures pertaining to double extortion varied lightly, except in a few key verticals: pharmaceuticals, financial services, and healthcare. In general, financial data was leaked most often (63%), followed by customer/patient data (48%).

Rapid7 PainPoints1

In the financial services sector, customer data was leaked most of all, rather than financial data from the firms themselves. Some 82% of disclosures linked to the financial services sector were of customer data. Internal company financial data, which was the most exposed data in the overall sample, made up 50% of data disclosures. Employees' personally identifiable information (PII) and HR data were more prevalent, at 59%.

In the healthcare and pharmaceutical sectors, internal financial data was leaked some 71% of the time, more than any other industry. Customer/patient data also appeared with high frequency, having been released in 58% of disclosures from the combined sectors.

In the pharmaceutical industry the prevalence of threat actors to release intellectual property (IP) files stood out. In the overall sample, just 12% of disclosures included IP files, but in the pharma industry, 43% of all disclosures included IP, which is likely due to the high value placed on research and development within this industry.

The state of ransomware actors

One of the more interesting results of the analysis was a clearer understanding of the state of ransomware threat actors. It's always critical to know your enemy, and with this analysis, we can pinpoint the evolution of ransomware groups, what data the individual groups value for initial disclosures, and their prevalence in the market.

For instance, between April and December 2020, the now-defunct Maze Ransomware group was responsible for 30%. This “market share" was only slightly lower than that of the next two most prevalent groups combined (REvil/Sodinokibi at 19% and Conti at 14%). However, the demise of Maze in November of 2020 saw many smaller actors stepping in to take its place. Conti and REvil/Sodinokibi swapped places respectively (19% and 15%), barely making up for the shortfall left by Maze. The top five groups in 2021 made up just 56% of all attacks with a variety of smaller, lesser-known groups being responsible for the rest.

Rapid 7 PainPoints2

Recommendations for security operations

While there is no silver bullet to the ransomware problem, there are silver linings in the form of best practices that can help to protect against ransomware threat actors and minimise the damage, should they strike. This report offers several that are aimed around double extortion, including:

  • Going beyond backing up data and including strong encryption and network segmentation

  • Prioritising certain types of data for extra protection, particularly for those in fields where threat actors seek out that data in particular to put the hammer to those organisations the hardest

  • Understanding that certain industries are going to be targets of certain types of leaks and ensuring that customers, partners, and employees understand the heightened risk of disclosures of those types of data and to be prepared for them

To get more insights and view some (well redacted) real-world examples of data breaches, the full paper is available here.

Read 2530 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News