Search This Blog

Showing posts with label Data Exfiltration. Show all posts

Data Theft: Employees Steal Company Data After Getting Fired

Employees taking personal data with them

Around 47 Million Americans left their jobs in 2021, and some took away personal information with them.

The conclusion comes from the latest report by Cyberhaven Inc, a data detection and response firm. It studied 3,72,000 cases of data extraction, and unauthorized transferring of critical info among systems- it involves 1.4 over a six-month period. Cyberhaven Inc found that 9.% of employees took data during that time frame. 

Over 40% of the compromised data was customer or client details, 13.8% related to source code, and 8% was regulated by personally identifiable information. The top 1% of guilty actors are accountable for around 8% of cases and the top 10% of guilty parties are responsible for 35% of cases. 

Reason for data extraction

As expected, the prime time for data extraction was between notice submissions by employees and their last day at work. Cyberhaven calculated around a 38% rise in cases during the post-notice period and an 83% rise in two weeks prior to an employee's resignation. The Cases bounced to 109% on the day the employees were fired from the company. 

Cyberhaven Inc blog says:

"While external threats capture headlines, our report proves that internal leaks are rampant – costing millions (sometimes billions) in IP loss and reputational damage. High-profile recent examples include Twitter, TikTok, and Facebook, but for the most part, this trend has flown under the radar."

The scale of the incident

If you look at the threat on a per-person basis, the risk is not significant, however, it intensifies with scale. Companies experience a mere average of 0.045% data extraction cases/per employee every month, however, it piles up to 45 monthly events at 1,000-employee organizations. 

A general way an employee usually takes out information is through cloud storage accounts, these were used in 27.5% of cases, then 19% belonging to personal webmail, with 14.4% incidents having corporate email messages sent to personal accounts. Removable storage drives amount to one in seven cases. 

Most incidents caused due to accident

Howard Ting (Chief Executive) warned not to jump to any conclusions, thinking many employees are criminals. He believes that the first and foremost cause of data exfiltration is an accident, one shouldn't assume every user is guilty. He said that users are generally unaware they aren't able to upload critical info on drives. 

Most organizations fail to clearly mention policies regarding data ownership. People in sales may believe they can keep account details they have, and developers may keep their code as a personal achievement. Organization mails having internal contact details are casually forwarded to personal accounts without ill intent and critical information can be stored in local hard drives, just a few clicks away. Cyberhaven inc comments:

"Our data suggests employees often sense their impending dismissal and decide to collect sensitive company data for themselves, while others quickly siphon away data before their access is turned off."

Newly Discovered Royal Ransomware is Targeting Organizations with Multi-Million Dollar Assaults


A new ransomware operation dubbed “Royal” is targeting organizations with ransom demands ranging from $250.000 to over $2 million. 

A new report from BleepingComputer in collaboration AdvIntel researchers has investigated the group’s encryptor and its methodology. The ransomware group was first identified in January 2022 and includes vetted and experienced hackers from past operations. 

Interestingly, it does not operate as a Ransomware-as-a-Service (RaaS), but instead as a private group without partners or affiliates. At first, the group employed the encryptors of other ransomware operations, such as the BlackCat example, before utilizing its own encryptors, the first being Zeon, an encryptor that designs ransom notes identical to Conti’s. 

Royal modus operandi 

Based on the observations gathered by threat analysts, this month, the Royal ransomware used a new encryptor and its name in ransom notes to represent itself accurately. The security experts have also identified that the hacking group is working underground and has not employed a data leak site to disclose their activities. 

The malicious campaign is employing a technique called “callback phishing,” wherein the Royal hackers mimic software vendors and food delivery platforms in emails, pretending to be an offer to renew a subscription. 

When victims call the number, the ransomware operators employ social engineering to lure them into installing remote access software, thus acquiring access to the corporate network. Subsequently, the hackers execute multiple attack procedures, eventually leading to the encryption of the exploited devices. They employ Cobalt Strike to spread out across the network, collect credentials, steal data, and finally encrypt machines. 

The targeted individuals would then discover a ransom note, named README.TXT, containing a Tor link to engage in negotiations with malicious hackers. The ransomware operators will offer their demand, with ransom amounts ranging from $250.000 to over $2 million. To prove that they have the firm’s data, Royal will decrypt a few files and share lists of the siphoned data. 

It remains unclear how successful the operation is because at the time of writing there are no reports of any victims actually paying for the decryption key. The researchers have strongly recommended network, windows, and security admins to keep an eye on the activities of this group, as they are ramping up their operations and will likely surge to become a significant business-targeting ransomware operation.

Night Sky: New Ransomware Targeting Corporate Networks


The new year has brought with it new ransomware named 'Night Sky,' which targets corporate networks and steals data in double-extortion attacks. 

The Night Sky operation began on December 27th, according to MalwareHunterTeam, which was the first to identify the new ransomware. The ransomware has since published the data of two victims. 

One of the victims got an initial ransom demand of $800,000 in exchange for a decryptor and the promise that the stolen material would not be made public. 

How Night Sky encrypts devices

A sample of the Night Sky ransomware seen by BleepingComputer has a personalised ransom note and hardcoded login credentials to access the victim's negotiation page. 

When the ransomware is activated, it encrypts all files except those with the.dll or.exe file extensions. The ransomware will not encrypt the following files or folders: 
Tor Browser
Internet Explorer
Opera Software
Mozilla Firefox
All Users
Program Files
Program Files (x86)

Night Sky appends the.nightsky extension to encrypted file names while encrypting them. A ransom letter named NightSkyReadMe.hta is included in each folder, and it provides details about what was stolen, contact emails, and hardcoded passwords to the victim's negotiation page. 

Instead of communicating with victims through a Tor site, Night Sky employs email addresses and a transparent website that runs Rocket.Chat. The credentials are used to access the Rocket.Chat URL specified in the ransom note. 

Double extortion tactic: 

Before encrypting devices on the network, ransomware operations frequently grab unencrypted data from victims. Threat actors then utilize the stolen data in a "double-extortion" scheme, threatening to leak the information unless a ransom is paid. 

Night Sky built a Tor data leak site to leak the data of victims, which now contains two victims, one from Bangladesh and the other from Japan. While there hasn't been much activity with the new Night Sky ransomware operation, one should keep a watch on it as we enter the new year.