Why Exfiltration of Data is the Biggest Cyberthreat Facing Your Business

A data breach is one of the most costly issues facing any business today. A typical incident can quickly run into millions of dollars worth of costs to rectify and recover, so it’s no wonder that cyberthreats are named as the number one business risk for 2023, ahead of issues such as rising energy costs and macroeconomic uncertainty. 

One particular danger is the exfiltration of data. This is often a key goal of ransomware attacks, as once cybercriminals have this, they have many options. Often, this involves extorting money from the business or selling valuable personal and financial data on the dark web. 

As well as direct costs in the form of ransom payments, exfiltration of data can lead to many other issues. It can cause a major loss of trust among consumers, damaging a firm’s reputation for years to come. In turn, this means lost business and lower growth, and could even threaten the future viability of the company.

The consequences of data exfiltration can be severe and wide-ranging. For starters, it can do huge damage to any business’ reputation. Customers will take note that their data is not safe with the business and be very wary of handing over personal and financial information in the future.

On top of this, there is the increased risk of regulatory and legal action. Under GDPR, for example, fines for mishandling or losing data can reach either €20 million or four percent of a firm’s global turnover – whichever is higher. The recent €1.2 billion fine handed out to Meta by Ireland’s data protection regulator illustrates just how seriously authorities take data privacy at all levels. 

Firms also run the risk of giving away trade secrets or other proprietary information to competitors, which could set back future plans and lead to the loss of any competitive edge.

There are a wide range of methods ransomware groups can use to attack businesses and exfiltrate data, but the simplest often prove most effective. Many breaches are the results of techniques such as a phishing attack, relying on errors by employees to give hackers access, such as by inadvertently sharing passwords, downloading malware or even sending data directly to cybercriminals after being tricked by email impersonation.

Despite this wide potential for disruption, however, many users remain unaware of key security concepts. According to Proofpoint, for example, more than one in three users are unable to even define key terms such as ‘malware’, ‘phishing’ or ‘ransomware”. This indicates that even though security professionals are well aware of the dangers cybercriminals pose, there’s a lot of work to be done to improve the most vulnerable parts of any business – its people.

Traditionally, companies have sought to tackle these issues with anti-phishing and anti-malware data security tools. However, ransomware groups are increasingly looking to bypass these defenses with techniques such as fileless malware, taking advantage of legitimate tools such as PowerShell. This does not contain key signatures that legacy protections would look for, making it easier for the exfiltration of data to be undetected.

Once cybercriminals have a firm’s data, the most common next step is to extort enterprises into making a payment. In a traditional ransomware attack, where data is simply encrypted or corrupted, prepared companies would be able to ignore any demands for money by turning to their backups, with the biggest loss being the time it takes to restore such data.

If data has also been exfiltrated, this puts greater pressure on businesses to pay up. If they don’t, they run the risk of having highly sensitive information publicly released, as well as the associated negative publicity this brings. Therefore, many firms feel it will be cheaper in the long run to simply pay up. 

However, this is likely to cause more problems than it solves. The majority of firms that do pay up to end a ransomware attack will be targeted again, as they are signaling to cybercriminals that they are a worthwhile target.

BlackFog’s 2022 Ransomware Attack Report examined the global data exfiltration market and found that nearly half of attacks that exfiltrate data originate from Russia or China. Last year, 27 percent of attacks sent stolen information to China – an 11 percent increase on the previous year. Meanwhile, 17 percent of exfiltrated data went to Russia, which marked a five percent rise on 2021.

Almost half of attacks (46 percent) are aimed at organizations in the United States, followed by the UK (seven percent) and Canada (six percent), illustrating the geopolitical issues related to ransomware and data exfiltration that firms will need to be aware of, especially if they hold highly sensitive information.

Recent trends have made it clear that data exfiltration has become the primary goal of many ransomware attacks, as opposed to activities such as encrypting data. Indeed, last year, data exfiltration was a factor in almost nine out of ten incidents. Therefore, its vital firms are up to speed on what this means for their cybersecurity strategy.

There are several types of data exfiltration that businesses need to be aware of. Perhaps the most dangerous is deliberate, malicious data theft conducted via malware, which infects a target system, accesses sensitive information within a network, and sends it back to a command and control center.

However, this is not the only threat firms must bear in mind if they are to prevent data exfiltration. Many data breaches are the result of an insider threat, which could be either accidental or deliberate. For example, this could involve sending outbound emails to untrusted recipients, copying sensitive data onto external devices such as USB sticks to be physically removed from an office, or the use of unsecured and unauthorized tools like consumer cloud services to store data.

A key theme of many large-scale ransomware and data exfiltration attacks of recent months is that, once a threat actor has removed data from the organization, it is far too late to mitigate the damage. 

For example, the ransomware attack that affected Royal Mail in January saw operations disrupted for over a month, costing the firm huge amounts of money and reputational damage. However, importantly, the company refused to give in to the ransom demand, even after the group behind the attack started publishing stolen data. 

While the organization followed best practice by not paying, this and other attacks emphasize the point that once data is stolen, there is little firms can do, so preventing a data exfiltration attack is much better than attempting to remedy one after the fact.

Once a firm has a reputation for poor security, this also encourages attackers to return time and again. For instance, T-Mobile recently reported its second data loss incident this year – to go along with three breaches in 2021.

Other lessons firms need to take from recent attacks include being aware that, while every business is a potential target, under-resourced sectors such as government, healthcare and education are particularly vulnerable.

When it comes to ransomware and data exfiltration, toolkits such as LockBit remain highly popular with ransomware groups. In 2022, our research found this accounted for 16 percent of attacks – a 600 percent rise from the previous year. One reason for this is that it is relatively simple to use, as it functions as a ‘ransomware-as-a-service’ tool that its authors sell to other criminals in exchange for a cut of any proceeds.

This is often injected into a target organization via a phishing attack to both encrypt and exfiltrate data. It is able to spread within a network without direction, using tools like PowerShell and Server Message Block to evade detection. Other common ransomware tools that can be used to exfiltrate data include BlackCat, Hive and Conti, with half of attacks last year using one of these four variants.

Given these threats, it’s clear that tools to prevent the exfiltration of data should be the highest priority for any business. However, many firms may not realize that the solutions they have relied on for many years to keep their operations safe from hackers are not well-equipped to deal with these fast-evolving threats.

One of the major issues many companies may have is that their defenses are often outward looking, with a focus on stopping malicious software from entering a network, rather than looking at the data leaving it. 

Tools such as firewalls and anti-malware, for example, are not equipped for preventing data exfiltration, and as hackers are always finding new ways of evading detection when infiltrating networks, if they are able to bypass perimeter defenses, they could well be free to spend weeks or even months looking for the most valuable business or personal data to exfiltrate undetected.

There are dedicated solutions firms can turn to in order to protect against data loss, although again, businesses need to be certain they have the latest and most advanced defenses in order to block data theft without disrupting normal business operations.

Data loss prevention tools, for example, sound good, but they can come with their own problems. Legacy tools often take a data-centric approach, looking for key fingerprints that can suggest malicious activity. However, these solutions often find it hard to understand context or user intent, which can make them prone to disruptive false positives, while letting actual data theft through.

They are also centralized, resource-intensive solutions that are expensive to implement and manage, with few guarantees they will provide the level of data protection they claim.

Dedicated anti data exfiltration (ADX) tools work differently. BlackFog’s data exfiltration solution takes a behavioral-focused approach towards data traffic, using machine learning to build up a full picture of a company profile that understands what normal activity looks like. This allows it to step in automatically to block any data theft attempts without the need for human intervention, and without getting in the way of legitimate traffic.

As an endpoint solution, this also ensures all activities are carried out on the device level, meaning there is no break in the security chain as data does not need to be routed via a centralized solution for analysis. This gives the software a much smaller footprint than other data exfiltration prevention solutions, making it lightweight enough to be deployed on mobile devices outside the main network.

Learn more about how BlackFog protects enterprises from the threats posed by data exfiltration.