Ransomware gangs each have their favourite kind of targeted data, but financial, customer, and patient data are the most common types stolen, according to a new analysis of recent ransomware breaches that involved the theft of victims’ data.

Financial data was the most commonly leaked kind of information, Rapid7’s Ransomware Data Disclosure Trends analysis found, with finance and accounting documents compromised in 63 per cent of the 161 ransomware-related data disclosures analysed.

Customer and patient data was the next most-commonly targeted, with 48 per cent of incidents involving such information.

Significantly, cybercriminals targeting financial services firms were more likely to disclose customer data – which comprised 82 per cent of leaked financial-services data – than financial or other types of data.

Leaks of intellectual property (IP) were “rare in general”, the analysis noted, comprising just 12 per cent of incidents – although it was much more common after breaches of pharmaceutical companies, 43 per cent of which included IP disclosures.

Given that the attacks in the report took place between April 2020 and February 2022, the findings corroborate long-running reports that nation-state backed cybercriminal groups were targeting pharmaceutical companies researching COVID-19 vaccines and treatments.

“Data disclosure became more common during this period,” the analysis notes, “following the Maze ransomware group’s pioneering of the technique.”

The Maze ransomware gang shut down in late 2020, having risen to prominence a year earlier in being the first group to use the tactic of stealing unencrypted files then publicly releasing them if victims did not pay.

Maze alone accounted for 30 per cent of the 94 incidents reported in the last three quarters of 2020, the analysis found, calling the group’s success “remarkable” and noting that its shutdown was correlated with an immediate decrease in reported incidents.

Maze’s demise “created a vacuum that many less prolific groups tried to fill,” Rapid7 notes, “resulting in more evenly distributed market share.”

Australia was the eight most-targeted country over the past two years, with hundreds of gigabytes of sensitive data leaked from the likes of Transport for NSW, the South Australian Government, Queensland utility CS Energy, electronics firm Shriro Holdings, healthcare provider UnitingCare Queensland and many others.

Rapid7’s analysis also identified individual gangs’ predilections for particular types of data, with the Russia-linked Conti group leaking financial information in 81 per cent of cases.

By contrast, Cl0p only leaked financial data in 30 per cent of cases – preferring instead to leak employee information, as it did in 70 per cent of cases.

While financial data is readily saleable on darkweb forums, employee data – which comprised 59 per cent of stolen data – can be leveraged for follow-on activities including fraud, business email compromise (BEC), and identity theft.

Refining their modus operandi

Data theft is now common as ‘double extortion’ ransomware attacks dominate a climate of increasingly expensive and malicious ransomware attacks in which masses of corporate data can be stolen in minutes.

That intensifying climate – which has become so challenging that it’s driving many security executives to leave the industry – has been driven in part by the fact that companies’ investment in anti-ransomware protections, such as purpose-built backup tools, seems to have worked a bit too well.

“Backups give victims the ability to restore their files without paying ransoms,” the report notes, “but they cannot shield victims from the coercive pressure of the data disclosure layer of double extortion.”

Yet stealing data is only one of the ways ransomware gangs are doubling down on a technique that is extracting billions from hapless victims who all too often pay exorbitant sums – frequently, more than once – to make the problem go away.

Many ransomware gangs also add third and fourth layers to their attacks, promising to bring down the business with distributed denial of service (DDoS) attacks and targeting executives with threats of public disclosure of their security vulnerabilities if they don’t pay the ransoms.

A new analysis from Tenable Research found that the ransomware ecosystem is actually striating into a more clearly defined network of Initial Access Brokers (IABs) – who figure out how to use new vulnerabilities to gain access to victims’ systems, then sell those tools to affiliates that run the actual compromises.

Affiliates typically keep more than 70 per cent of the ransom for their efforts, Tenable noted, with “very generous” IABs competing for “vital” affiliates with promises of higher commissions.

“Modern ransomware groups operate like traditional businesses,” the report notes. “Because they partner with others in the ransomware ecosystem, they also market themselves like businesses, vying for the attention of affiliates with bold claims like fastest encryption speeds and self-spreading functionality.”

“Ultimately, the groups themselves are ephemeral… [but] the one thing that’s not impermanent is the vital role IABs and affiliates play in ransomware attacks.”