Ransomware Data Exfiltration

Ransomware: The Data Exfiltration and Double Extortion Trends


Multi-State Information Sharing and Analysis Center’s Cyber Threat Intelligence team (MS-ISAC), believes it is likely that ransomware groups will continue to steal and upload victim data through 2021 as an additional revenue generator and double extortion tactic. Ransomware groups threaten to publish confidential data and press victims to pay the ransom to secure the promise of deleting the data or keeping it confidential. Ransomware groups not only post stolen data publicly but also sell it in dark web marketplaces and cybercriminal forums for extra revenue. Chainalysis data shows that ransomware victims paid nearly $350 million in cryptocurrency to recover their files. One high-profile example is that a public university paid more than $1 million in Bitcoin to retrieve encrypted files and erase the stolen data. [2]

The MS-ISAC CTI Team observed that ransomware groups were increasingly turning to double extortion attempts using stolen data. While maintaining traditional network encryption and ransom, this trend continued into 2020. Ransomware groups continue to infiltrate data during intrusions. This mimics the Maze ransomware group’s tactic of publishing stolen victim information, which was featured in late 2019.

Threat to SLTTs

CTAs are using data exfiltration to leverage State, Local Tribal, Tribal, or Territorial (SLTT), victims. This trend is particularly impactful for organizations that house sensitive information such as K-12 school districts and public healthcare entities. Because of their vital services and concern for children and the sick, these public sector targets are still popular. These organizations feel an internal sense of urgency and public pressure to restart operations quickly. Cyber threat actors (CTAs), however, are taking advantage by paying higher ransom amounts.

  • Healthcare organizations are particularly vulnerable to data theft as they have limited resources for network security. Ransomware groups use phishing to gain access to victim’s networks. CTAs can maintain phishing operations, which are low-risk and high-reward attacks vectors, partly because of the critical work environment in healthcare. CTAs can also leverage vital information and critical care services to force healthcare providers to pay the ransom by ransoming the healthcare sector. CTAs exfiltrated and breached data from a university hospital in September 2020. The folders contained “appointments and archives, notices of claims, agreements and litigation files, employment, labor and credentialing and  physicians, among other things.” [4] Healthcare organizations may be subject to litigation if they fail to secure PHI data in compliance with HIPAA.
  • Ransomware groups are also targeting K-12 schools districts as a popular SLTT target. These institutions have limited IT and cybersecurity resources, and often a flat network structure. Many K-12 school districts were infected by ransomware in 2020. They often had a higher willingness to pay the ransom. Ransomware groups can move laterally through K-12 networks to quickly extract large amounts of data. This is done by a lack of network segmentation. These types of attacks were carried out on school districts of all sizes. Also, CTAs were seen posting data to the dark internet, which could have included financial and medical information as well as disciplinary information about students.

CTAs have the option of using data leak sites to upload portions of data to an organization that is unwilling to pay the ransom. This will increase their leverage and shame the victim. CTAs may also auction or sell data if the ransom is not paid. Ravil is a popular ransomware CTA that targets former ransomware victims who have paid the ransom. CTAs will request additional payments and threaten to post data that they claim was deleted in the initial attack after payment. Rarely, the CTAs may still post data even after the ransom has been paid twice.

Exfiltration Techniques

Ransomware infections are usually started with a simple attack vector such as phishing emails or exploiting the unsecured Remote Desktop Protocol. Cybercriminals then use malware, open-source penetration testing tools, and living-off-the-land techniques to increase privileges and move laterally through the victim’s network. CTAs have greater network access, which allows them to target sensitive data for encryption and exfiltration. Below is an illustration of the typical infection process.

The following methods can be used to exfiltrate data according to the MITRE ATT&CK Framework (please refer to the recommendations section to learn more about best practices resulting from these tactics).

  • Automated Exfiltration (T1020).Traffic duplication is an automated method to exfiltrate data. This is used to speed up the transfer of data from infected systems to servers.
  • Data Transfer Size Limits (T1030). This is used to exfiltrate data in smaller chunks than as a whole. This is commonly used to prevent alerts about network data transfer threshold alerts from being triggered.
  • Exfiltration over Alternative Protocol (T1048) Used as an alternative to exfiltrating data over typical command and control protocols, such as through symmetric, asymmetric, or unencrypted/obfuscated network protocols. CTAs may use this option to send data via an alternate route.
  • Exfiltration Over C2 Channel (T1041): Data exfiltration using an existing command-and-control channel. Most commonly used to encode data using normal communications to minimize outbound connections to avoid detection.
  • Exfiltration over Other Network Medium (T1011)Method used to steal data using network mediums such as Bluetooth or Cellular Data. If other network options are not available or not properly configured to exfiltrate data without fear of detection, this method is used.
  • Exfiltration over Physical Medium (T1052)Physical means for exfiltrating data such as USB. Most commonly used to access unconnected systems or as the final exfiltration point.
  • Exfiltration over Web Service (T1567)To exfiltrate data, use a legitimate website service. This reduces the chance of suspicious network detections.
  • Scheduled Transfer (T1029)This is used to exfiltrate data at certain times or intervals. Combining data transfer traffic with normal activity is the most common use to avoid detection.
  • Transfer Data to Cloud AccountExfiltrated data is moved from one cloud environment into another, often to avoid network-based exfiltration detections.

Ransomware variants using exfiltration

Posting data on leak sites: Abaddon, Ako, Clop, Conti, Darkside, DoppelPaymer, Egregor, Everest, Lock bit*, Light*, Maze, Mespinoza, MountLocker, Nefilim, Nemty*, Netwalker, Pay2Key, Ragnarok, RagnarLocker, RansomeEXX, Ravil, Sekhmet*, Snatch*, Suncrypt [5,6,7,8,9,10,11]

Posting/Publicizing Data Loss in Underground Forums Avaddon, Ako, Darkside, Egregor, Kupidon, Maze, Nemty, Ravil, Sekhmet, Suncrypt [5,6,9,10]

Twitter: Publicizing Data Leaks DoppelPaymer, Maze, RagnarLocker*, Snatch* [5,7,8]

Selling/Auctioning data: DoppelPaymer, Maze, Ravil [5,8]

* is a site that is currently inactive or Twitter Handle


MS-ISAC doesn’t encourage ransom payments by victims, even though it incentivizes criminal behavior. However, MS-ISAC recognizes that sometimes this is the only option. Ransomware attacks can cause data exfiltration to occur before the ransom note is sent. MS-ISAC recommends proper data management and behavioral analytics to track data access. Access controls should be implemented, with special attention to sensitive or critical data. The MS-ISAC recommends mapping and classifying the data, correctly classifying it, and encrypting sensitive data in transit and at rest.

The MS-ISAC encourages SLTTs, in general, to develop a defense-in-depth strategy that can combat all forms of malicious cyber activity. There is no one-size-fits-all solution. The CIS Controls should be followed by organizations. They should also review the MS-ISAC services and leverage the CIS Benchmarks. In addition, the MS-ISAC urges SLTTs to reference the dual seal CISA/MS-ISAC Ransomware Guide.


  • Regular testing of restoral procedures and maintaining offline encrypted backups.

Incident Response & Communications Plan

  • Maintain, update, and maintain a basic cyber-incident response plan, as well as a communications plan, which includes notification and response procedures.

Data Sprawl

  • Track and identify different types of data in systems. Identify all locations that contain sensitive data or other intellectual property and identify who has access to them. After completing the list, create strong access control policies.

Network Segmentation

  • You can use logical or physical network segments to separate different business units and departments.

Protect Yourself from Infection Vectors

  • Malicious emails
  • Implement email filtering.
  • Regular pieces of training for end-user awareness on how to respond to suspicious email messages should be conducted.
  • Domain-based Message Authentication, Reporting, and Conformance policy and verification. DMARC is a new reporting function that adds to the widely-used Sender Policy Framework, Domain Keys Identified Mail protocols.
  • Remote Access and Internet-Facing Vulnerabilities
  • Regular vulnerability scanning
  • Patch and update operating systems and software regularly.
  • Secure RDP and other remote desktop services.
  • Managed Service Providers, (MSPs),

Logging and Detection

  • Make sure antimalware software is up-to-date. Automated updates are enabled for these defenses.
  • You might consider installing an intrusion detection (IDS) system. To enhance defense-in-depth strategy, the MS-ISAC encourages SLTT organizations to consider purchasing and deploying an Albert IDS. Learn more about Albert.
  • You might also consider other detection defenses such as an intrusion prevention system (IPS), or an Endpoint Detection and Response solution (EDR).
  • MS-ISAC is currently conducting an EDR pilot to support SLTT organizations. For more information, please email info@msisac.org.CISA, and the Center for Internet Security, (CIS), has teamed up with Akamai to offer Malicious Domain Blocking and Reporting services (MDBR) at no cost to MS-ISAC and EI-ISAC members. To sign up for MDBR
  • To determine patterns in the network activity, analyze and baseline the network activity over several months. It is crucial to distinguish normal activity from abnormal network activity to detect malicious network activity.

MITRE Tactic-Specific Recommendations

Automated Exfiltration (T1020).

  • Kerberos is a good example of best practices in authentication protocols. Protect Countermeasure
  • SSL/TLS can be used to protect web traffic that may contain credentials. Protect Countermeasure
  • Verify that all wireless and wired traffic is properly encrypted. Protect Countermeasure

Limits on data transfer size (T1030).

  • To block malicious network traffic from reaching an organization’s network borders, deploy network-based Intrusion Prevention Systems. Protect Countermeasure

Exfiltration over Alternative Protocol (T1048)

  • Administrators should use a dedicated machine to perform administrative tasks and tasks that require administrative access. It should not be used to read e-mails, compose documents, or browse the internet. Protective Countermeasure
  • For personal and untrusted devices, create a separate wireless network. This network should be considered untrusted, and access by enterprise users should be filtered and audited accordingly. To block malicious network traffic from reaching an organization’s network borders, deploy network-based Intrusion Prevention Systems. Protect Countermeasure
  • Before you analyze the content, decrypt all encrypted traffic from the boundary proxy. The organization might use allow-lists to identify sites that can be accessed via the proxy without decrypting traffic. (Detect Countermeasure).
  • To ensure only authorized protocols can cross the network boundary at each organization’s network borders, deny communication to unauthorized TCP/UDP ports or application traffic.

Exfiltration Over C2 Channel (T1041)

  • To block malicious network traffic from reaching an organization’s network borders, deploy network-based Intrusion Prevention Systems. Protect Countermeasure