- 30% of ransomware attacks in Q2 of this year included threats to release data.
- 22% of ransomware attacks in Q2 involved confirmed data exfiltration—up from 8.7% in Q1.
Before we go further, let’s define a few terms. You probably know what ransomware is. If not, check here and here. But what is “data exfiltration”? It’s a fancy way (think, “opposite of infiltration”) of saying that before the bad actors encrypted your data, they stole some (or all) of it. So, you have some shady character telling you that you must pay up, or they’ll release the stolen data. Depending on what they took, this could be embarrassing or even cause substantial harm to the business. This is why you have to act against ransomware, even more than before.
Why would ransomware gangs steal your data? Leverage. Don’t want to pay to get your data back? Imagine being told, “That’s some nice, sensitive information you got there. Would be a shame to see it released to the newspapers. Or your competitors.”
And we have a recent example of just this kind of attack: Blackbaud. The company in its blog post said that it had paid the ransom in exchange for the ransomware actor’s promise that they would delete the stolen information. Some were not entirely comforted.
Act on Ransomware to Avoid These Headaches
Finding out that all your files are encrypted is bad. Finding out that some or all of your data has been stolen is worse. Way worse. Here’s why.
- If you believe your data has been “exfiltrated” you are probably required to report this as a data breach to the authorities. The requirements will differ in different jurisdictions, but you likely will have to let someone know. For instance, in California you would have to notify the State Attorney General.
- If it’s possible that user information (name, email address, password, other personally identifiable information) has been breached, you may well have to notify every user. And you may well need to provide a year’s worth of identity protection service to each user. For free. Bye bye, budget!
- You may need to confront the fact that you don’t know what potentially damaging information the ransomware actor has. Maybe it’s no big deal. Maybe it’s a very big deal.
Here’s What You Can Do to Get Ahead of the Game
You want to have a plan to act on ransomware. You want to anticipate the potential problems and mitigate their impact. That’s a much better position to be in than having to react to a ransomware and data exfiltration event after the fact. Let’s look at the actions you want to take as you act against ransomware.
Get Thee a Backup and Restore Solution
First, and most obvious, you want to act against ransomware by putting a backup and restore solution in place. You want your backed-up data repository unreachable from your network; otherwise, your backup may get encrypted as well. You want to test the restoration process. Regularly.
There are lots of backup and restore programs and services out there. We can recommend one if you like. Or we can do that for you.
Conduct an Information Risk Assessment to Make Decisions About Moving Information
You’ve beaten back the ransomware gang with your backup and restore solution. Now you must deal with the “and data exfiltration” part as you act against ransomware.
You need to conduct an information risk assessment. Think of this activity as an audit of your organization’s information.
- What information do we have that could be considered damaging if released into the wild?
- Where is that information stored? (Often it will be stored in multiple places).
- How secure is the place/are the places where this information is stored?
I’ve written about risk assessment before.
The information risk assessment is going to help you decide what information you want to move to a safer repository, in what order. You act against ransomware by reducing the risk that damaging information can get exfiltrated.
Use Information Rights Management to Shield Potentially Damaging Information
Yes, you should remove potentially damaging information if you can. Ransomware people can’t steal damaging information that isn’t there. But, given that you can’t remove all the potentially damaging information, act against ransomware by controlling what can be done with that data.
Information Rights Management is a process where you assign a level of security to your files, then define policies that control what can be done with a class of files based on its security level. I’ve written about this before as well. Here’s how it works.
- You define some security levels. Let’s say you define “Confidential” for stuff that would harm or embarrass the organization if released. Some examples here include financial data or personnel records. You define the “Sensitive” security level for information that should stay within the organization but wouldn’t be that harmful if it were released. An example here could be a process document. You define the security level “Public” for everything else. This is stuff you intend to release to the public.
- Now, you define a security policy for each security level. Confidential files cannot be forwarded or printed. Sensitive files can be shared outside the company, but only with a password and a sharing expiration date. Pubic files have no restrictions.
When you act against ransomware by executing an Information Rights Management program, you provide an extra layer of security. Even if a Confidential file is stolen, it can’t be printed or sent to anyone.
Once You’ve Taken These Steps, You Can Call Ransomware’s Bluff
This might sound like a daunting list of actions. Really, it’s not as hard as it might seem. Finding out what’s stored where will take some time, but search tools will help with this. Labeling your documents (as I described here) can be sped up by labeling folders and using inheritance to label the files. Plus, this is all work you can outsource to your IT partner.
Take these steps to act against ransomware and data exfiltration. You’ll feel better afterwards. Now go. Do. Ask for help if it will simplify your life.