Skip to Content

Do Ransomware Attacks Steal Data?

When it comes to a ransomware attack, there are many different things organizations need to prepare for.  Unfortunately it is one of those things where we never quite know how an attack will unfold before it happens.

The best thing we can do is stay educated on the ransomware attacks out there, and use the lessons learned to better protect our environments.

Let’s take a closer look at some common aspects of a ransomware attack.

Do Ransomware Attacks Steal Data?

Ransomware attacks can steal data, this is called exfiltration.  What happens is the malicious actors in your environment target sensitive data to take before they encrypt your environment.

In some cases, they may simply take data without even bothering with encrypting things.

Remember, at the end of the day, ransomware is about getting you to pay.  When we talk about the threat of Ransomware as a Service (RaaS), the malicious actors are often given detailed playbooks by the ransomware groups.

These playbooks tell them exactly what to target and look for in the environment, so they can take the data you are most likely to pay for.

The next aspect of exfiltration is of course extortion.  This is when the malicious actors tell you they have your data, and demand a ransom payment so they do not leak it.

They may even show you samples of your data to prove they have the things you want to protect at all costs.

Another trend is for these malicious actors to target data about your customers and suppliers and those you do business with, and then attack them next.

Encryption, Exfiltration, and Extortion

There are lots of E words in play when we talk about ransomware, so let’s take a moment to break things down.

Encryption is one of the most common forms of a ransomware attack.  The malicious actors encrypt your data, and demand you pay a ransom for the decryption key.

This can easily be thwarted by simply recovering your environment from backups.  You may wonder why I call it simple, but the truth is recovery from encryption can be simple, as long as you put in the work up front to protect your assets.  Remember, ransomware is a disaster!

Next comes exfiltration.  This is when the bad actors find data in your environment and remove it.  In this case they aren’t going for cat pictures and MP3 files, they are looking for sensitive data so they can get you to pay the ransom.

To detect exfiltration, you must be monitoring many aspects of your environment. Additional protection should be put into place for your most sensitive data so it cannot be stolen.  

Finally comes extortion.  This is when they try to make you pay.  If you haven’t taken the time to protect your environment from both encryption and exfiltration, you are going to be in a tough spot.

Ransomware attacks can be based on encryption, exfiltration, or even both.  Extortion happens in every ransomware attack.

What’s the Difference Between Data Breaches and Ransomware Attacks?

The difference between data breeches and ransomware attacks comes down to what type of ransomware attack it is.  If a ransomware attack has an exfiltration component to it, then it is also classified as a data breech.

If the ransomware attack only encrypts your files, then it may not be classified as a data breech.  The trouble here is if you cannot tell what exactly the malicious actors did inside your environment.  They may have taken data, but are not advertising it.

In this case, you still may want to treat a ransomware attack as a data breech.

The truth is that yes, ransomware attacks can steal data, and they can also encrypt it.  In any case, the time is now to prepare your environment for attack.  It isn’t a matter of if someone gains entry to your network, it is when.

RaaS groups provide extensive training to their affiliates to show then exactly what they need to do in your environment to make you play.  Remember, this is the end game, you paying the ransom.

You may face encryption, exfiltration, or even both during an attack.  Unfortunately we don’t know how things will unfold until they happen, which is why it is so important now to start preparing.

Have you heard of multiplatform ransomware? Ransomware targeting Windows, Linux and ESXi?

Don’t miss my top 10 ransomware defense tips!