Attacks targeting data

07-03-2025

In this short blog post I will look at the two main attacks targeting data: ransomware and data exfiltration. They are closely linked in attacks and require related defensive measures.

Sophos report: "In 32% of incidents where data was encrypted, data was also stolen".

Ransomware and data exfiltration

Ransomware

Ransomware is malicious software that overwrites data making the data inaccessible to the organization in a reversable way, if the ransom is paid.

The hacker incentive is most of the times financial gain via the extortion of money in exchange for unlocking the data again. Unleashing the malware on an organizations data may also be driven vandalism, revenge, hacktivism, warfare etc., leaving no option to recover the data.

One can never be sure if the data will be freed after ransom payment, and asking for ransom does not mean the motivation is just money.

Ransomware must have read-write access to the data. Running code from uncertain sources is a common source of ransomware problems.

Data exfiltration

For data exfiltration the objective is to copy data to a location under hacker control.

The main threat is to publish the data but abusing the data is also a possibility.

The confidentiality of the data will be breached, which may expose intellectual property, personally identifiable information with high impact, data of secret or top secret nature etc. The interested parties in the data could be the general population, but also the authorities including law enforcement, auditors, foreign nations etc.

Abusing the data may be a stealth operation leaving the organization unaware of the exposure.

The malware needs to have read-only access only. A frequent vulnerability leading to such access is SQL injection.

Both are often money making breaches

It turns out that for the common case of monetary objectives, either scenario is good, and combined even better: the chances of getting paid increase. This link was observed in practice as reported by Sophos in "state of ransomware 2024".

Attack phases

Sources of data attacks

The main sources of data attacks are phishing, weak passwords, infected devices, configuration mistakes, application security bugs, malicious software installation. These mechanisms allow the first step: a foot in the door.

Dig in, and expand

Once inside the hacker will try to get expand the access to the systems aiming to get access to data repositories. The steps may include lateral movements and privilege escalation.

See also: MITRE ATT&CK TA0004 and TA0008

Exfiltration or look for ransomware options?

If the access is limited to RO, only data exfiltration is an option. The attack will try to find ways to siphon the data out without triggering alarms or leave traces in logs. HTTP(s) request and DNS requests may provide readily available channels.

If RW access is attaint, ransomware becomes an option. This is a more complex undertaking, as speed and scope are important. The hacker tries to overwrite as much as possible data, back-ups, archives both onsite and offsite (in the cloud). Detection is certain, so starting with the back-ups and archives may delay detection for greater effect.

See also: MITRE ATT&CK TA1486 and TA0010

How to protect against data attacks

The hope is that the initial entry vectors can be prevented or at least detected. In time. In line with the motto "everything can and will fail eventually", it is wise to consider the spreading of the disease once a hacker infection gets inside. As final countermeasures, one should have controls in place to mitigate the risks of exfiltration and data encryption.