data exfiltration need to know
By |Published On: December 6th, 2019|14 min read|Categories: Data Exfiltration|

Data exfiltration, also known as data loss, data exfil and data leakage, refers to the theft or removal of information or data from an electronic device, typically a computer, mobile phone or other internet-connected device. This often includes valuable personal or corporate information that can be sold or used to extort individuals and companies for monetary gain. Such actions are big business for cybercriminals and a nightmare for the organizations that find themselves targeted.

In this blog, we’ll answer some of the most common questions around understanding data exfiltration and explain how BlackFog can prevent your organization from becoming the next victim.

data exfiltration theft information

What is Data Exfiltration?

Data exfiltration is the unauthorized copying, transfer or retrieval of valuable data from a computer, server or other device. It occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. Data exfiltration is considered to be a form of data theft.

Exfiltration is a growing problem for businesses, and is now a common factor of many ransomware attacks. According to BlackFog’s State of Ransomware report for 2022, almost nine out of ten reported ransomware incidents (89 percent) use data exfiltration, up from around 80 percent the previous year.

With the average ransomware payment reaching $258,143 towards the end of the year – a 13.2 percent increase from Q2 of 2022 – this is a serious threat to any firm’s future.

No business is immune to data exfiltration, with some of the world’s largest corporations experiencing these attacks. In the last couple of years, for instance, Samsung, Apple and more have all fallen victim to this type of attack. However, the majority of cases target less high-profile firms who are more likely to give in to any ransomware attack demands.

ransomware attacks exfiltrate

How Does Data Exfiltration Occur?

Data exfiltration can be divided into two categories: outsiders trying to gain unauthorized access to the network to steal valuable corporate data, and people on the inside willing to share it. Whilst often malicious in nature, data exfiltration can also be the result of carelessness.

In an outsider threat scenario, a cybercriminal will insert malware onto a network-based device, such as a computer or mobile phone. The malware will crawl other network devices in search of valuable information and attempt to exfiltrate it. Once compromised, the malware orchestrating the attack may lay dormant until the point of data exfiltration, or, to avoid detection, subversively collect information over time and gradually exfiltrate the data.

An insider threat, meanwhile, can be either malicious, such as a disgruntled employee looking to damage the company or steal data to take to a new employer, or accidental. This case involves malicious intent and may include sending confidential documents to personal email accounts or cloud servers and is one of the most common causes of a data leak. This highlights the need for strong cloud security protocols, as insider threats are not always easy to predict.

Data exfiltration malware often remains latent to avoid detection and only activates when the machine has been idle for a certain period of time. People are often surprised how much data their mobile phone consumes overnight when they haven’t even been using it. This is usually because data is being exfiltrated from the device.

Is Data Exfiltration Easy to Detect?

Data exfiltration can be very difficult to detect. As data routinely moves in and out of an organization, these activities can closely resemble normal network traffic, making it hard for traditional solutions to identify it.

This can cause major problems, as the longer an intrusion remains undetected, the more information it can steal. According to IBM, the average data breach takes 277 days – around nine months – to be spotted. This can mean huge amounts of information can be exfiltrated.

For example, some of the biggest data exfiltration attacks of 2022, according to our State of Ransomware report, included attacks on auto part manufacturer Denso that compromised 1.1 terabytes (TB) of data, insurer Kingfisher Insurance (1.4 TB), the local government of Suffolk County, NY (4TB) and Canadian College Montmorency, which was alleged to have lost 8TB.

Because it happens silently in the background, with the victim not even realizing it has occurred, organizations and individuals can be left highly vulnerable. With cyberattacks growing in both volume and sophistication, it is inevitable that malware will find its way onto a device, so the ability to spot and prevent information from leaving the network is an essential part of any data security strategy.

ransomware payments exceed 250k

How Do Cybercriminals Exfiltrate Data From Businesses?

Data exfiltration can be achieved using various techniques, but it’s most commonly performed by cybercriminals over the internet or a network. These attacks are typically targeted, with the primary intent being to gain access to a network or machine to locate and copy specific data.

Common techniques involve anonymizing connections to third party servers to protect the identity of the attacker. This can include a phishing attack, using the Dark Web, uploading to an external device, direct IP addresses, tunneling over HTTP or HTTPS and Fileless attacks, where perpetrators can use remote code execution.

Where is the Majority of Exfiltrated Data Going?

According to BlackFog’s internal research (September 2023), around 9 percent of all traffic is being exfiltrated to Russia and 32 percent is going to China. Data exfiltration to the Dark Web represented 1 percent of all traffic and 98% to illegal networks.

Who is Being Targeted by Data Exfiltration?

Businesses, public bodies and other non-profit organizations are all common targets of data exfiltration attacks, but hackers are especially interested in companies that hold highly confidential or sensitive information. This may include intellectual property or personal details that would be especially damaging if it were to enter the public domain.

The majority of exfiltrated data is used by criminal groups as part of extortion schemes. This often works by holding the data to ransom with threats to sell or publicly release it unless a payment is made – and this can be highly lucrative.

For example, in November 2022, the FBI noted that Hive, one of the world’s most prolific data exfiltration gangs, had extorted around $100 million since June 2021, victimizing over 1,300 companies around the world. Among its targets were banks, public services, educational institutes and healthcare providers, with patient data among the highly sensitive files stolen.

According to BlackFog’s State of Ransomware 2022 report, the most-commonly targeted industries for ransomware are education, government and healthcare, with all of these seeing major rises in attacks in the last year.

Is There an Increased Risk of Data Exfiltration from a Smartphone?

Yes, a malware attack is particularly common on smartphones, especially with Android devices, where software can often be inadvertently downloaded directly from the Google Play Store, or even come preinstalled on devices. In 2022, research by Malwarebytes, for example, suggested more than a million Android users had downloaded malware from just four fake apps. Earlier in the year, security researchers at Microsoft highlighted several high-severity vulnerabilitieswithin Android that could be used to create backdoors into devices, which may then be used for data theft.

Elsewhere, research by mobile security firm Kryptowire warned that dozens of smartphones – mainly budget models – using a certain chipset could be at risk due to a vulnerability in a preinstalled app that requires system-wide privileges. This followed an earlier study from Google that suggested around 7.4 million handsets contained preinstalled malware with the ability to take over the device and download apps in the background.

However, iPhone users aren’t immune either. While the Apple app store is generally regarded as less vulnerable to malware than its Android counterpart, there have been several reports of malware infecting iOS devices that could lead to data exfiltration. In August 2022, for instance, the firm patched a newly-discovered vulnerability that could allow attackers to take complete control of a device.

Can Traditional Antimalware Solutions Prevent Data Exfiltration?

Companies rely on a combination of technology, training, policies and trust to cope with data breaches. However, intrusion detection systems such as firewalls and antivirus solutions that remove known infections are not enough to prevent attackers from infiltrating the company network.

It is inevitable that attackers will find a way in. Therefore, the key to data exfiltration prevention is to stop the activation and removal of information using modern cybersecurity techniques. Organizations need to deploy a solution that prevents the exfiltration of data from every device on the network.

This usually comes in the form of data loss prevention (DLP) tools. However, these can struggle to keep up with the techniques used by today’s ransomware attackers and very difficult to maintain and configure.

Traditional DLP approaches use a variety of security measures, with a typical solution leveraging tools such as signature matching, structured data fingerprinting and file tagging to monitor traffic along with tools like intrusion detection and firewalls.

However, this is a highly data-centric approach to exfiltration prevention, which does not distinguish between users or intent. This means they cannot separate legitimate traffic from unintentional mistakes or malicious behavior.

These tools are very expensive to operate, since they require significant computing resources and personnel and need constant maintenance by the security team to keep them up to date. In addition, since they decrypt every data packet, they essentially behave like a “man-in-the-middle” attack, breaking current security protocols such as SSL.

How can Data Exfiltration be Prevented?

The inherent mobility of today’s workforce makes it difficult for companies to keep track of what’s happening on every device in the network, especially as companies grow and the number of endpoints multiply – including PCs, smartphones, tablets and even the Internet of Things.

With a significant proportion of network transactions taking place in the background, without consent, it is important that organizations and individuals are closely monitoring this activity.

Preventing the transmission of sensitive data to unidentified servers in regions where high levels of cyberattacks originate is paramount to protecting all network infrastructure. Modern attacks are predicated on the ability to communicate with third party servers to steal data. It is crucial that any cybersecurity solution is able to monitor, detect and prevent the unauthorized transmission of such data in real time.

To achieve this, firms must focus on protecting every endpoint from which traffic may leave the network. Anti data exfiltration (ADX) tools achieve this by working at the endpoint itself.

24x7 protection

How Does BlackFog Prevent Data Exfiltration?

Lots of cybersecurity firms can tell you when a breach or attack has taken place. BlackFog stops it from happening in the first place by focusing on preventing data loss, data profiling, and data collection at the point at which traffic attempts to leave the network.

BlackFog protects devices from today’s polymorphic attacks by focusing on prevention rather than the defensive based approaches of firewalls or antimalware solutions that remove the problem after the infection has already taken place.

Using a layered approach, BlackFog spots, in real-time, when an attacker is trying to remove unauthorized data from a device or network and shuts them down before they get the chance to.

Unlike traditional data-focused solutions, which rely on file signatures, BlackFog uses AI based machine learning and behavioral analysis. This means it is much better at being able to spot  unusual and suspicious activity and data exfiltration before it occurs.

Why is BlackFog Different?

BlackFog provides on-device safeguards against data exfiltration, with no data ever sent to the cloud. It is specifically focused on being able to block outbound data flow, ensuring what is on your device stays on your device.

It is one of the few solutions that operate on layer 3 of the OSI stack. Whereas most traditional antivirus tools operate at the application or session layers, BlackFog sits at the network layer, ensuring every packet of traffic is monitored, with a focus on the data itself.

Because it is designed to run on every endpoint – including mobile devices – our technology also has a much smaller footprint and overhead than traditional DLP tools. It’s lightweight enough to be deployed on every smartphone, which means you’re protected from any exfiltration attempt that takes place outside the corporate network.

BlackFog also detects and blocks the transfer of data to the Dark Web in real-time. This ensures that any ransomware threat actor will be unable to secure the stolen data that is required for any extortion attempt.

However, it offers far more than just endpoint security. As well as ransomware, BlackFog’s multiple layers of defense also protect you from spyware, malware, phishing attacks, unauthorized data collection and profiling.

To stay ahead of cybercriminals and protect your organization from threats, a multi-layered defense system preventing data exfiltration, unauthorized data profiling and data collection is crucial. Only by monitoring the flow of outbound traffic and stopping attacks in real time can you ensure no unauthorized data will fall into the wrong hands.

Learn more about how BlackFog protects enterprises from the threats posed by data exfiltration.

Share This Story, Choose Your Platform!

Related Posts