Data exfiltration used to 'encourage' ransom payment

News by Davey Winder

BitPyLock threat actors are now exfiltrating data before the ransomware encryption begins

The BitPyLock ransomware threat is a pretty new one, with the first attacks spotted in December, yet it's already pivoted in terms of target and attack methodology. Individual computers have been kicked to the virtual kerb, with networks replacing them in the attack cross hairs. But that's not all: BitPyLock threat actors are now exfiltrating data before the ransomware encryption begins. So what's driven these changes and should enterprises be concerned?

The MalwareHunterTeam that uncovered the ID Ransomware service first warned users about the BitPyLock ransomware family on Twitter at the start of January

At that time they warned that BitPyLock victims, all businesses, had been identified from the end of December. Now, within a matter of a few weeks, an attack pivot has been reported

The MalwareHunterTeam has seen recent versions of the threat adopting a network compromise focus rather than targeting individual workstations as before. The attack methodology, or rather the ransom-extraction method, has also changed: data exfiltration with the threat to sell or publish is now being used as leverage. The latter, of course, being a familiar tactic to anyone who has been following the news regarding Sodinokibi attacks such as the one against Travelex.

SC Media UK has been investigating what is behind the tactical changes and how it impacts enterprise ransomware mitigation best practice.

"This BitPyLock ransomware till now follows the recent trend of criminal groups such as Snatch, REvil and Maze ransomware collectives, leaking the victim data to amplify ransomware threats," says Vitali Kremez, head of SentinelLabs at SentinelOne. These 'leak threats' are being fueled by the increased regulatory and reputational risks faced by organisations, according to Kremez. 

"We assess with high confidence that even more ransomware collectives will adopt the phrasing of "leaking data if not paid" in the future to amplify more pressure on the victim to comply with their extortion demands," he told SC Media UK.

Richard Cassidy, senior director of security strategy at Exabeam, said it is not surprising to see threat actors upping the ante in this way. "Historically, with a well-oiled backup (encrypted) and recovery plan, most organisations could weather a ransomware storm." Now things are different, and the model has changed as soon as the malware has got onto the network. "It's clear the best ROI model in the great cyber-criminal game is increased collateral damage potential," he adds. 

However, this definitely doesn't mean that paying the ransom is a good move. 

This simply "does not give any guarantees that the bad actors will go away," warns Pascal Geenens, a security evangelist at Radware. "They might come back to ask for more ransom at any time now that they have the data." 

Alex Guirakhoo, a strategic intelligence analyst at Digital Shadows, told SC Media UK that the data can generate income from ways other than as ransom payment stress leverage. "Stolen data can also be sold on criminal marketplaces and forums, acting as a secondary source of income for ransomware operators should their initial attempt be unsuccessful." 

Organisations are now faced with two threats to manage simultaneously. "Tackling this will more often than not require coordination between different internal teams (such as IT, security, and legal)," Guirakhoo says. "Rather than solely focusing on traditional mitigation practices like backups, organisations should also review their incident response plans to ensure they account for and prepare for these types of scenarios."

Jonathan Knudsen, senior security strategist at Synopsys, calls this a new wrinkle in an old story. The best and the only effective mitigation is prevention, he argues. 

"If attackers have successfully deployed ransomware throughout your organisation, then you should consider that your data is irrevocably lost and likely public," warned Knudsen. 

This makes fundamental security processes more important than backups. While the companies should not ignore backups, lowering the risk of attack is key, and processes such as keeping systems patched, educating your employees, and using strong authentication whenever possible will help, Knudsen explained.

"Discovering and identifying large transmissions of data, understanding the source and detecting it quickly is very important in such cases. The key is to block and eliminate the risk of risky exposure," said Yossi Naar, chief visionary officer and cofounder at Cybereason. 

Felix Rosbach, product manager at comforte AG, told SC Media UK that the adoption of a data centric security approach, combined with a zero-trust architecture that allows organisations to embrace modern technology like hybrid or multi-cloud computing to distribute infrastructure while still being compliant and secure, has to be on the mitigation table as it results in more options for fall back and less risk when it comes to ransomware attacks. 

"In addition, if data is protected at the earliest possible point and de-protected only when absolutely necessary, bad actors might only get hold of a worthless treasure, when stealing files or databases," Rosbach concludes.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews