Emsisoft Blog: Ransomware data exfiltration detection and mitigation strategies


Level 22
Thread author
Top poster
Sep 5, 2017
In November 2019, we reached a sad new milestone in the evolution of ransomware.

The cyber gang behind Maze – the same group responsible for the recent ransomware attack on Pensacola, Florida – followed through on its threats and published the data of its victim, Allied Universal, after the security staffing firm failed to meet the ransom payment deadline.

This is the first time that a ransomware group has stolen and published a significant quantity of its victims’ data. If the strategy proves to be more profitable than traditional encryption-only attacks, it is likely that exfiltration will become an increasingly common precursor to encryption.

In this article, we’ll discuss how data exfiltration works and what organizations can do to protect their data and their client’s sensitive information.

How does data exfiltration work?
Data exfiltration is the term used to describe the unauthorized transfer of data from a computer.

Gaining entry
To exfiltrate data, attackers first need to gain access to the target network. Some of the most common attack vectors include:

  • Phishing: Attackers send carefully crafted emails to a specific organization or person or people within an organization. The attackers may pretend to be someone who is considered “above suspicion” – say, the recipient’s boss, an important client or a highly regarded partner. Attackers use evocative wording to encourage the recipient to open a malicious email attachment or click on a link in the body of the email, which may encourage the user to install malicious software or direct the user to a compromised website that automatically downloads malicious software. The malware may install a backdoor, which allows attackers to steal data directly, or it may enable the installation of additional malware such as keyloggers or rootkits, which could assist with future exfiltration.
  • Hacked Remote Desktop Protocol (RDP): Developed by Microsoft, RDP is a communications protocol that allows users to remotely access and manage a computer over a network connection. Attackers use widely accessible scanning tools to scan the Internet for machines with IP and TCP port ranges that are used by RDP servers (typically port 3389). After identifying a suitable machine, attackers try to gain access to the machine using brute force tools, which attempt to login automatically over and over again using millions of character combinations to guess the machine’s login credentials. Once the tool cracks the login credentials, attackers can do anything within the hacked account’s privilege limits.
  • MSPs and RMMs: Attackers commonly target the remote monitoring and management software used by managed service providers. With a single successful attack on an MSP, attackers can potentially gain access to the MSP’s entire client base, which puts enormous pressure on the victim to pay the ransom.
Once an attacker has gained a foothold on a network, exfiltrating data is a relatively straightforward process.

Exfiltration strategies can vary significantly in terms of scope. Attackers may steal files indiscriminately and process the data later; alternatively, exfiltration may be a careful and selective process in which attackers extract only high-value files.

  • The subtle approach: Depending on the nature of the attack, threat actors may attempt to avoid detection of network monitoring systems by obfuscating the data they are stealing. Given that many data loss prevention systems rely on simple pattern-matching mechanisms to detect exfiltration, even simple encryption techniques can be enough to escape detection. Common covert exfiltration channels include SSL/TLS, as well as protocol tunneling and steganography.
  • The fast and furious approach: Alternatively, attackers may favor speed over subtlety and use high-bandwidth channels to steal files as quickly as possible. FTP, HTTP and HTTPS are the most commonly used exfiltration channels as traffic exfiltrated over these connections is often difficult to distinguish from legitimate traffic. Less commonly, email and instant messaging applications may be used. These channels are easily monitored but also tend to be less restricted than other connections because they are so frequently used for legitimate business activities.
Ransomware exfiltration
We expect exfiltration to become an increasingly common component in ransomware attacks. The exact method used by ransomware groups varies. For instance, the ransomware itself may not need to have exfiltration capabilities. Depending on the method used to gain network access, exfiltration can be as simple as attackers copying and pasting the files over RDP. Alternatively, attackers might run a script that uploads an entire drive to a remote location, or they may be more selective and write a simple application that looks for certain files in specific locations, and uploads them in a ZIP file to a remote server. In the case of the Maze attack, it’s believed that operators exfiltrated data using PowerShell to connect to a remote FTP server, with all affected files being automatically copied to the attackers’ server.

For ransomware groups, data exfiltration is a somewhat risky play. Stealing files takes time, bandwidth and server space. If the target notices something is amiss, they may be able to take steps to interrupt the attack before the threat actors can complete both the exfiltration and the encryption. This takes leverage away from the threat actors and could render the operation – which may have been weeks, months or even years in the making – a total failure.
Data exfiltration mitigation techniques
Preventing the initial point of compromise is favorable, of course, but organizations must operate under the assumption that their perimeter will be breached at some point and plan accordingly.

Given the extremely diverse needs of organizations and the wide range of technical methods used to exfiltrate data, it’s impossible to provide a definitive checklist for securing a company’s network.

  • Content filters: The faster an organization can detect potential exfiltration, the more chance it has of interrupting the attack. Organizations should deploy content filters for outgoing traffic on known exfiltration channels such as email, HTTP and FTP. Certain filters can be configured to control the transfer of sensitive data based on customizable data patterns. When data that fits the data pattern is transferred from the network, the filter flags the event and notifies an administrator. Some filters can be configured to automatically interrupt the transfer. Content filters can be circumvented by obfuscating the transferred data so it doesn’t match any known pattern.
  • Watermarking: Watermarking is an underutilized tool that can be useful for detecting exfiltration and identifying potential infrastructure weaknesses. A digital watermark is a marker that is covertly embedded into a file. The marker contains a signature that can notify a deep packet inspection product in real-time when the file is exfiltrated. Watermarks persist even if the file has been copied and pasted, and are particularly useful for identifying internal leaks in an organization’s data-handling chain.
  • Security Information and Event Management: Security Information and Event Management software can be very useful for collecting event data generated by an organization’s security infrastructure and collating it all into a centralized platform. It combines output from multiple sources and provides IT teams with a holistic view of the network.
Define responses: Many of the exfiltration detection systems mentioned in the previous section are capable of not only identifying suspicious activity but also responding to it. Depending on the situation, responses can be much more sophisticated than simply allowing or denying access. For example, a triggered intrusion detection system (IDS) could replace requested data transfer with decoy data, protecting the real files and giving administrators an opportunity to collect information about the threat.

  • Principle of least privilege: Every organization should enforce the principle of least privilege, which stipulates that every user and application should have only the minimum privileges required to perform its function. Minimizing privileges reduces the volume and value of data that can potentially be stolen if an endpoint is compromised. Forrester Research estimates that 80 percent of security breaches involve privileged credentials.
  • Egress filtering: While many organizations are concerned about external attacks on their network perimeter, relatively few focus on data leaving their network. Egress filtering can be an effective way to restrict outbound traffic. With egress filtering, an outbound connection must meet certain policies set by the administrator before it is allowed. Security-conscious organizations may want to implement a default-deny policy, which blocks all outbound traffic (including email, web browsers, IM and more) unless allowed by policy. Implementing a default-deny policy can be labor-intensive and time-consuming, as there are many types of outbound traffic that a business needs to function, each of which requires its own egress filter policy.
  • Security policy enforcement: Stringent security policies are pointless if they are not observed and enforced. Manual enforcement is not feasible or effective, so organizations should invest in policy enforcement software that ensures users are adhering to security policies. Many solutions enable organizations to define a security policy, verify adherence and, in some scenarios, automatically resolve issues.
As ransomware groups seek to obtain greater leverage over their victims, it’s likely that we’ll see more exfiltration events in the weeks and months ahead. Exfiltration strategies are varied and diverse; for organizations, this means there’s no one-size-fits-all solution to preventing data theft. Identifying suspicious activity on both overt and covert channels, defining and enforcing security policies and investing in systems that can respond intelligently to detected threats may be useful for reducing the risk of data exfiltration.