What Happens When Hackers Exfiltrate Data From Your Business?

Data breaches are among the most harmful cybersecurity issues any business faces, with the potential for long-term financial and reputational damage. But while there can be many causes of such incidents, from careless employees to an insider threat, the deliberate targeting of firms in order to exfiltrate data as part of ransomware attacks can be the most costly, as well as the hardest to stop.

Attempts to exfiltrate data have become a major part of ransomware threats, as they can enable criminals to repeatedly extort businesses with the threat of exposure of their data. And with ransomware on the rise, it will likely only be a matter of time before they come for your company – assuming you haven’t already been breached.

The rise of data exfiltration tactics has driven much of the growth in ransomware over the past few years. Threat actors have increasingly recognized that this gives them more leverage when extorting businesses and puts extra pressure on organizations to pay. As such, traditional approaches to fighting ransomware may need a rethink.

In the past, a key aim of ransomware was to disrupt businesses by encrypting files or shutting down systems, with the aim of payments being made to get operations up and running again, as was seen in high-profile attacks like the 2017 WannaCry incident. But as firms have become more alert to this threat with defenses such as better backups, these attacks are now less effective.

Therefore, cybercriminals have increasingly turned to data exfiltration as a way of forcing their victims to pay up. In these cases, known as double extortion ransomware attacks, the consequences for not paying can be high, especially in an area where there are tough regulatory penalties for failing to protect personal data in addition to any direct business harm.

In many cases, hackers are counting on firms making risk assessments and determining the cost of paying will be less damaging than ignoring a demand.

Data exfiltration is an increasingly common aspect of ransomware attacks. In 2020, for example, research by Emisoft estimated around one in ten such incidents included a data exfiltration element. However, double extortion ransomware using exfiltrated data climbed by more than 900 percent the following year, while BlackFog’s 2021 Ransomware Attack Report found that 80 percent of attacks exfiltrated data by the end of the year. As such, it has quickly moved from being a relatively limited form of attack to a primary way in which hackers can make money.

The main motivation for ransomware attacks is financial. According to Verizon, 96 percent of attacks are for financial or personal gain. In the vast majority of cases, hackers demand a payment and use the threat of releasing exfiltrated data as an incentive to get firms to give it to demands. The prospect of additional harm from the exposure of the information can convince firms to pay up where they otherwise wouldn’t, mindful of the potential extra costs that data exposure can bring.

Data exfiltration can therefore be a highly lucrative avenue for attackers. According to figures from Palo Alto Networks, the average ransomware payment increased by 71 percent in the first half of 2022, reaching $925,162. However, some high-profile cases and those that involve especially sensitive data or systems can cost much more. For example, energy provider Colonial Pipeline paid around $5 million to halt an attack on its network in 2021.

Not every occurrence of data exfiltration is solely financially motivated, however. Providing classified data to hostile nation states may be another reason to target businesses in critical sectors, while some hackers simply want to cause disruption or publicly embarrass companies, especially ones they have a political dispute with – known as ‘hacktivism’. Verizon suggests, for example, that one in four cyberattacks on large organizations are a form of protest.

Falling victim to a data exfiltration attack is something no business wants to think about, but it’s an occurrence that must be prepared for in advance. While strong data loss prevention technologies are essential in minimizing the risk, traditional tools may find it difficult to spot the advanced techniques used by today’s ransomware attackers.

The methods criminals use to conduct a data exfiltration attack vary, but they often take advantage of phishing attacks to infiltrate businesses. Once in, a third of attacks use botnets to exfiltrate data and send it back to control servers. 

With many networks having greatly increased their number of endpoints in recent years, thanks to developments such as mobile devices, the Internet of Things and remote working, cybercriminals may find it easier than ever to locate  a weak point they can use to exfiltrate data.

Another aspect of any data protection strategy that should not be overlooked is the threat of a malicious insider. These individuals often have different motivations than ransomware attackers – they are more likely to look to sell data directly or take it with them to a new company than try to extort their current or former employer – but they still pose a major threat. 

People with knowledge of your systems and what sensitive data you possess can be particularly dangerous, and have more options for committing a data breach, such as the use of portable devices like USB sticks.

The big question for any firms that suffer a data exfiltration attack is whether or not to pay. In the short term, giving into demands can be an attractive option, as it can put a swift end to the situation. It may also be the case that any payments made could be claimed back on ransomware insurance policies – though it will inevitably make it harder to get affordable cover in the future.

However, there are several issues with this. Number one is that, as soon as you pay up, you’re painting a target on your own back. Once hackers see that you’re willing to part with money, there’s very little to stop them coming back time and again. Indeed, it’s estimated that as many as 80 percent of firms that have fallen victim to an extortion data breach will be targeted again.

Other problems include that you’re trusting that criminals will keep their word not to release data – which they may have little reason to do. Finally, on a wider scale, the more companies that give in to extortion demands, the more cybercriminals will continue to use these tactics, which harms every business, as cybersecurity insurance costs go up and threat actors develop new ways of bypassing defenses.

Traditionally, an effective, frequently-updated backup strategy has been an important line of defense against ransomware attacks. Having this in place ensures that any encrypted data can be recovered and downtime kept to a minimum. But if an attacker has also stolen data, there’s little that can be done about this.

Figures from Venafi show just 17 percent of ransomware attacks now ask for money in exchange for a decryption key, with data extortion the main goal of these attacks. As such, firms must ensure they have a data exfiltration strategy to guard against ransomware instead of relying on outdated techniques like backups.

Exfiltrated data can do a huge amount of damage to any business. Personally identifiable information of customers, for example, can be hugely damaging if released publicly. This could lead to financial penalties from privacy regulators, compensation and reputational damage. Meanwhile, trade secrets or proprietary information can give competitors crucial insight into what you’re doing and erode any advantage you have.

The initial costs of a successful data exfiltration attempt will mainly include any ransomware payment itself, but this is just one aspect of financial losses. Data exfiltration can lead directly to lost business if customers feel they can no longer trust a company, while the cost of investigating incidents and strengthening systems to prevent future attacks can all quickly add up. 

Overall, while costs vary widely depending on the business and the amount of data lost, it’s estimated by the Ponemon Institute that the typical company may face average costs of around $4.35 million per data breach as of 2022.

In the longer term, compensation, fines and legal issues can be a major factor, even if information obtained isn’t published. For example, back in 2016, ride-hailing app Uber paid a ransom of $100,000 to hackers who extorted its bug bounty program to prevent the release of the details of up to 57 million users. However, it was later fined $148 million for failing to disclose the data breach – while its former security chief was criminally charged for the cover-up and found guilty in October 2022.

In some cases, limited releases of less valuable exfiltrated data can be used to spur businesses to act. For example, in 2022, a hacker exfiltrated confidential material from game developer Rockstar, releasing multiple videos from its in-development flagship title Grand Theft Auto 6 as proof the hack was genuine. 

This was followed by a threat to release the much more valuable source code unless a ransom was paid. In this case, no money changed hands and law enforcement moved quickly to make an arrest, but much damage had already been done to the brand’s reputation. 

Many consumers and partners may be wary of doing business with a company that has publicly fallen victim to extortion, regardless of whether or not they pay up. But as the Uber case also proves, paying to keep breaches quiet is unlikely to be an effective long-term strategy.

The best way to fight extortion threats is to make it as difficult as possible for a cybercriminal to get their hands on valuable data. This means having a comprehensive data exfiltration prevention strategy that can cover every endpoint on a network and take action automatically when it detects suspicious outbound  traffic.

Preventing ransomware from entering your business in the first place should remain a key part of any data security strategy, through tools such as firewalls and email security solutions, but these can’t be relied on, as perimeter defense tools are proving ineffective at preventing the types of attacks we see today.

 Therefore, behavioral monitoring and automation tools that can stop any data exfiltration attempts before traffic has a chance to leave the network are vital. This should, however, only be one part of a holistic approach to security operations that includes using principles of zero trust to reduce insider threat risk, comprehensive user training to spot phishing attacks and the latest threat intelligence tools. It is only through a combination of these solutions that firms can prevent data theft and avoid associated extortion risks.

Learn more about how BlackFog protects enterprises from the threats posed by data exfiltration.