Ransomware works by encrypting key files and databases, preventing organizations from accessing them — but lost data is not the only potential result of a ransomware infection.
Many ransomware groups are now selling stolen data online using the dark web and messaging groups composed of other bad actors. For enterprises, the potential of a data breach is potentially much more significant than simple data loss.
Losing personally identifiable information (PII) about customers and employees can create a public relations nightmare. Bad actors could also use stolen data to refine their techniques, heightening the potential impact of future attacks.
On July 21, 2023, the city of Dallas, Texas announced that a recent ransomware attack compromised information stored by the city’s human resources department. That data probably included sensitive info about employees.
“Our investigation remains ongoing, but at this time we’ve learned that some information maintained by the city of Dallas, including some benefits-related information maintained by the city’s human resources department, was accessed by the unauthorized third party responsible for this ransomware incident,” said city manager T.C. Broadnax.
For bad actors, a quick payment isn’t enough.
Many ransomware victims refuse to pay for ransoms — which is generally a good call. In many cases, paying for ransomware may be illegal, and under typical circumstances, payments must be disclosed to authorities.
By collecting and selling stolen data, ransomware groups can profit from every infection, regardless of the outcome. In a high-profile attack, the stolen data may be worth much more than a paltry payment — and the data can be sold and resold to other groups for data harvesting.
It’s important to note that some ransomware variants have no mechanism for transferring stolen data outside of the victim’s systems. However, as ransomware continues to become more sophisticated, we anticipate that more groups will focus on harvesting, rather than on extortion.
Ransomware recovery strategies should include detailed assessments of lost data
Ransomware recovery is a delicate process, and it’s important to consult with experts as soon as an infection is identified. Some key tips to keep in mind:
- The infected systems must be isolated as soon as possible.
- Some ransomware variants hibernate for days or weeks before activation in order to compromise backups and archives. Do not attempt to restore system operation unless your backups have been thoroughly evaluated.
- Some ransomware variants use outdated encryption, and data recovery may be possible. However, the decryption tools supplied by ransomware groups are often faulty — paying for a ransom does not guarantee data recovery.
- Work with data security professionals to identify the vector of attack. If the attack vector isn’t resolved, future attacks are likely.
- Datarecovery.com and other cybersecurity services can monitor the dark web for signs of stolen data, which can help enterprises mitigate the impact of an attack.
Our ransomware recovery services focus on treating all of the consequences of infection. By analyzing infected systems, security controls, and the unique features of each malware variant, we help our clients develop long-term, self-sustainable strategies for disaster recovery.
To learn more, call 1-800-237-4200 to speak with a ransomware expert or submit a case online.
