In 2019, a new type of ransomware attack began to appear called leakware. A leakware attack differs from a standard ransomware attack in that encrypting the victim’s data is almost a secondary concern. The primary lever of extortion in leakware is to threaten to release the target’s confidential data, or that of its clients and partners.
How does leakware work?
Leakware is a new twist on a form of ransomware called “doxware” that was briefly popular in 2016-17. Doxware was targeted at individual consumers. The operator of the program would threaten to release embarrassing information about the victim unless a ransom was paid. One reason doxware never took off is that it required the attackers to maintain storage repositories to keep copies of “embarrassing” data. Because attackers had difficulty distinguishing between photos a target would pay to suppress and photos the target didn’t care about, the strategy was high-cost and low-return.
However, from 2017-19 the landscape for ransomware changed significantly. Tools and expertise became available to the teams conducting attacks that allowed them to take control of compromised workstations within an organization and move “laterally,” exploiting the credentials and resources they discovered to gain access to cloud-based platforms, data centers, and other high-value information. Instead of looking for quick results as these groups had done in the past – launching attacks against whatever data was immediately accessible – they began to hold off announcing their presence until they had secured a trove of data the victim would be willing to bargain for.
Who is the target?
The need for high-value data to use as extortion leverage is why the most frequent targets of leakware are organizations known to keep confidential data on behalf of their customers: hospitals, financial servicing, and law firms. Once the data is extracted, the attackers contact the clients, patients, and vendors of the target to encourage them to pressure the target to pay. One group took out Facebook ads.
A ransomware team known as Cl0p has adopted the novel tactic of leaking the private communications of the executives and managers at their targets, reasoning that this personal approach is likely to sway the people responsible for approving payment of the ransom in a way that leaking customer data wouldn’t.
How can businesses prevent a leakware attack?
Functionally, leakware attacks are like other forms of industrial espionage. The most popular method of initial compromise is a phishing email. If the email is successful at compromising a user account or workstation, the attacker will spend a significant amount of time probing the network and trying to compromise more resources. This pattern is leakware’s weak spot:
- Strong email security can prevent the first infection. Businesses should deploy the most sophisticated email filtering and analysis platforms they can afford. Machine learning, and the ability to remove malware after it has passed through the gateway, are critical. A regular training program that primes employees to detect unusual email patterns is also important. Many small businesses lack the resources to deploy and configure these sophisticated platforms.
- Endpoint detection and response (EDR) can prevent the infection from spreading. Many leakware packages have only rudimentary countermeasures against anti-malware and EDR agents. The activity pattern of a leakware attacker probing for valuable information is easily recognizable to EDR software. But this requires a security team that actively supports its EDR deployments. Security personnel also must either actively monitor EDR alerts or configure a SOAR platform to respond automatically.
What’s the next step?
If you suspect your business may be targeted by leakware attackers, Net Friends can help you put the necessary systems in place to prevent a successful attack. We have extensive experience deploying email security tools like Avanan Complete and EDR tools like Cortex XDR. Our Security Operations Center is ready to respond to patterns of suspicious activity by rapidly isolating the source of any infection and tracing it to reveal which assets may have been compromised.
Contact us today to ask about our Managed Detection & Response services. We’re happy to show how we can augment your IT security posture.