Report Reveals What Data Is Most Prized by Ransomware Attackers


A new report released today by Rapid7 investigates the trend, pioneered by the Maze ransomware group, of double extortion, examining the contents of initial data disclosures intended to coerce victims to pay ransoms.

The report Ransomware Data Disclosure Trends, reveals a story on how ransomware attackers think, what they value, and how they approach applying the most pressure on victims to get them to pay, providing insights on the data threat actors prefer to collect and release.

With access to a network and holding that data for ransom, ransomware is now one of the most pressing and diabolical threats faced by cybersecurity teams.  Causing billions in losses across nearly every industry around the world, it has stopped critical infrastructure like healthcare services in its tracks, putting the lives and livelihoods of many at risk.

In recent years, threat actors have upped the ante by using “double extortion” as a way to inflict maximum pain on an organisation. Through this method, not only are threat actors holding data hostage for money, but they also threaten to release that data (either publicly or for sale on dark web outlets) to extract even more money from companies.

In a first-of-its-kind analysis using proprietary data collection tools to analyse the disclosure layer of double-extortion ransomware attacks, Rapid7 has identified the types of data attackers initially disclose to coerce victims into paying ransoms, determining trends across industry. Australia was positioned eighth in the rankings for distribution of ransomware incidents in the top 12 countries.

The report examined all ransomware data disclosure incidents reported to customers through the company’s threat intelligence platform between April 2020 and February 2022, and also incorporates threat intelligence coverage and institutional knowledge of ransomware threat actors. This analysis determined the following:

  • The most common types of data attackers disclosed in some of the most highly affected industries and how they differ
  • How leaked data differs by threat actor group and target industry
  • The current state of the ransomware market share among threat actors and how that has changed over time

Finance, pharma, and healthcare

Overall, trends in ransomware data disclosures pertaining to double extortion varied lightly, except in a few key verticals: pharmaceuticals, financial services, and healthcare. In general, financial data was leaked most often (63%), followed by customer/patient data (48%).

In the financial services sector, customer data was leaked most of all, rather than financial data from the firms themselves. Some 82% of disclosures linked to the financial services sector were of customer data. Internal company financial data, which was the most exposed data in the overall sample, made up 50% of data disclosures. Employees’ personally identifiable information (PII) and HR data were more prevalent, at 59%.

In the healthcare and pharmaceutical sectors, internal financial data was leaked some 71% of the time, more than any other industry. Customer/patient data also appeared with high frequency, having been released in 58% of disclosures from the combined sectors.

In the pharmaceutical industry the prevalence of threat actors to release intellectual property (IP) files stood out. In the overall sample, just 12% of disclosures included IP files, but in the pharma industry, 43% of all disclosures included IP, which is likely due to the high value placed on research and development within this industry.

The state of ransomware actors

One of the more interesting results of the analysis was a clearer understanding of the state of ransomware threat actors. It’s always critical to know your enemy, and with this analysis, we can pinpoint the evolution of ransomware groups, what data the individual groups value for initial disclosures, and their prevalence in the market.

For instance, between April and December 2020, the now-defunct Maze Ransomware group was responsible for 30%. This “market share” was only slightly lower than that of the next two most prevalent groups combined (REvil/Sodinokibi at 19% and Conti at 14%). However, the demise of Maze in November of 2020 saw many smaller actors stepping in to take its place. Conti and REvil/Sodinokibi swapped places respectively (19% and 15%), barely making up for the shortfall left by Maze. The top five groups in 2021 made up just 56% of all attacks with a variety of smaller, lesser-known groups being responsible for the rest.

Recommendations for security operations

While there is no silver bullet to the ransomware problem, there are silver linings in the form of best practices that can help to protect against ransomware threat actors and minimise the damage, should they strike. This report offers several that are aimed around double extortion, including:

  • Going beyond backing up data and including strong encryption and network segmentation
  • Prioritising certain types of data for extra protection, particularly for those in fields where threat actors seek out that data in particular to put the hammer to those organisations the hardest
  • Understanding that certain industries are going to be targets of certain types of leaks and ensuring that customers, partners, and employees understand the heightened risk of disclosures of those types of data and to be prepared for them

You can read the full report here.