Rising Ransomware Data Breach Points to ‘Weaponization of Data’, Says CrowdStrike

Join today’s leading executives at the Data Summit on March 9. Register here.

Ransomware attacks last year included a significantly greater emphasis on leaking stolen data as a way to pressure victims into paying ransoms, CrowdStrike said in its 2022 Global Threat Report.

Data breaches related to ransomware increased by 82% in 2021 compared to the previous year, the cyber vendor said in the report, released today.

While other findings in the report also pointed to a worsening ransomware epidemic — the average ransom demand grew 36% to $6.1 million last year — the boom in ransomware-linked data breaches points to a shifting tactics by cybercriminals that are all over the world. businesses should pay attention to, said Adam Meyers, senior vice president of intelligence at CrowdStrike.

Ultimately, the proliferation of ransomware-related data breaches is an indicator that “weaponizing data” has become a key strategy for cybercriminals, Meyers said in an interview.

“The threat actors have identified that this is a way to increase the pain for the victim and make it a bigger problem for them – which will force them to pay more and faster,” he said.

Take control

Typically, the data breaches occur as part of the negotiation process: if the victim is unwilling to pay the ransom, or if they ask for more time, the attacker will post some of the stolen data on the Internet in order to exert more pressure, said Meyers. †

Ultimately, such tactics are all about control, he said.

‘You are depriving the victim of the story. You’re taking control away from the victim,” Meyers said. “And that’s very powerful for a threat actor. Because in recent years, it was usually up to them to decide when to notify their customers, their shareholders, and their employees if an organization was breached. And it’s up to them what they want to detail.”

This changes the calculus about whether or not to pay a victim, he said. While many companies can now restore their data from backup — making them less likely to pay the ransom — the threat of data leakage could change their thinking, Meyers said.

Added complexity

For example, regulatory and compliance issues will often result when sensitive data is released, he said.

“It makes it more complex,” Meyers said. “The moment data leaves your control, things can now get really expensive for you beyond paying ransom.”

Ransomware breaches that led to data breaches last year included attacks on the National Rifle Association, Accenture, and Quanta (although in the latter case, the leaked data actually belonged to Apple, a Quanta partner).

CrowdStrike has also tracked other cyber activities that fall within the realm of “weapons of data” — including Iranian groups using a ransomware tactic the company calls “lock-and-leak,” CrowdStrike said in its report.

“Lock-and-leak operations are characterized by criminal or hacktivist fronts that use ransomware to encrypt target networks and then leak victim information through actor-controlled personas or entities,” CrowdStrike said. “By using dedicated leak sites, social media and chat platforms, these actors are able to amplify data breaches and perform IO against target countries.”

Security without trust

By all accounts, the global ransomware problem has gotten much worse last year. For the first three quarters of 2021, SonicWall reported a sharp increase in ransomware attack attempts 148% year on year for example.

But while companies are now well aware that they need to protect themselves against ransomware, the increasing threat of ransomware-related data breaches should change the way companies think about protecting themselves, Meyers said.

First and foremost, companies need to recognize that more is needed than just antivirus and antimalware protection, he said.

To truly prevent attackers from accessing sensitive data, a zero trust security architecture and strong identity verification is critical, Meyers said.

“If you have a human with keyboards who steals data and leaks it to the internet, anti-malware and antivirus won’t necessarily be able to identify and stop that. No trust and strong identity management — it will,” he said. “Zero trust and identity are the new things that organizations really need to think about in terms of how they defend their data and defend their business.”

‘Antivirus is dead’

Detection and response technologies that leverage machine learning are another important area for companies to consider defending against this threat, Meyers said.

“Antivirus is dead. The legacy antivirus products out there – the signature-based antivirus programs – are no longer effective,” he said. “What is needed is [tools] that use machine learning in addition to signatures to identify malicious activity.”

This could be machine learning (ML) for detecting anomalies, Meyers said, or it could be “file-based machine learning — where we look at features of a binary and determine whether it’s good or bad based on those features.” .”

Deploying ML-powered detection technology like this is “absolute table game right now to even think about defending a company,” he said.

Other key security investments companies can make to counter the threat of ransomware-related data breaches include threat detection; table exercises to prepare for possible data leak scenarios; and threat intelligence, Meyers said.

However, if a company had to pick just one area to invest in to address this threat, “I think identity would probably be where I [investment],” he said. “Because I’ve personally seen a huge difference in results there.”

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more

Leave a Reply

Your email address will not be published.