How Double-Extortion Attacks Vary By Victims' SectorResearcher Erick Galinkin Discusses Latest Ransomware Data Theft Trends
Ransomware attackers executing double-extortion schemes very carefully choose which data to steal and leak based on victims' economic sector, says Erick Galinkin, artificial intelligence researcher at security firm Rapid7.
Extortionist gangs "are leaking data in a very targeted way that shows they are considering what they are choosing to release in the first [round] of disclosure," he says in an interview with Information Security Media Group discussing findings of a recent study examining ransomware double-extortion attacks.
Galinkin and his team inspected samples of about 160 initial leaks of data stolen between April 2020 and February 2022, including data from companies in the healthcare and pharmaceutical industries.
Those sample data disclosures were bait to prod victim organizations into paying a ransom to prevent the cybercriminals from releasing their full troves of stolen data.
Pharmaceutical companies had the highest proportion of intellectual property leaked. The healthcare sector had no intellectual property maliciously disclosed, but a great deal of financial data, such as insurance documents and patient information.
"Healthcare data is highly regulated. And leaking this data essentially forces the hand of that healthcare provider to follow HIPAA procedures and notify their customers - who are now also victims - that their data has been compromised," Galinkin says
Data leaks involving pharmaceutical companies also contained a lot of financial information but were seasoned with proprietary records, such as patents and information about drugs in testing and development.
"These were core properties … and they were leaked more for pharmaceuticals than for any other industry."
In the interview (see audio link below photo), Galinkin also discusses:
- Other types of information that commonly shows up on data leak sites;
- The most prolific ransomware groups;
- How ransomware trends are morphing.
Galinkin is a hacker and artificial intelligence researcher who focuses on applying AI to security and applying security to AI. His experience spans the spectrum of information security, including threat intelligence, vulnerability discovery, data science and malware analysis. As part of Rapid7's OCTO team, he conducts research and informs policy on the cybersecurity implications of artificial intelligence.