News

sensitive data storage

Extortionware is the New Ransomware

You'll hear the term ransomware thrown around probably until the heat death of the universe. However, attackers aren't so much ransoming victims as they are extorting them these days.

Ransomware was successful because organizations didn't put much stock in data backup. Most small businesses and many medium businesses just YOLOed their tech setups for so long. When an attacker could get in, they just had to encrypt everything to hold that business hostage. Even larger businesses didn't put much effort into their data backup programs and missed key parts of their operations.

Since then, though, many small and medium businesses have implemented reasonable backup programs with varying qualities of disaster recovery plans. Just a little work on their part has reduced the effectiveness of the original ransomware tactics.

Attackers aren't dumb, though. They adapt. The began by exfiltrating and then encrypting your data. We called this a "double extortion" attack. They soon realized they were getting more response due to the leaking of sensitive information than the encryption of data, though. So they stopped encrypted and continued stealing.

So for all of you who think that you can laugh in the face of the ransomware attackers while holding your backups in their face, step back and rethink your strategy. They have your sensitive data and will use it against you... painfully. It's still about protecting that sensitive data, just like it always was.

The attackers can flaunt that stolen data to cause you pain from reputation loss, client loss, regulatory fines, and non-renewed insurance converge.

What can you do to better manage that risk? I'm glad you asked!

  • Know what you are collecting and storing. You can't protect what you don't know.
  • Limit the sensitive data you store. Do you need SSNs, phone numbers, addresses, etc., to carry out your business with that client? No? Then don't store it.
  • Set expiration dates on what you do need to store. Why keep sensitive data from clients that left long ago?
  • Limit access to that stored sensitive data. If you can segment your network physically or logically to keep the sensitive data away from other, less sensitive systems, do so. Only grant access to sensitive data on a need-to-know basis. Don't just blanket grant everyone access because they work there.
  • Ensure you are prioritizing general cyber hygiene measures on those segmented, sensitive systems. It's more important to patch and encrypt your critical database full of sensitive information than it is that conference room computer. Just don't forget about that conference room computer further down the list.

Need help designing your architecture and security controls to better protect your sensitive information? We can help. We'll work through design, process, operational needs, and technical implementations with you to ensure risk is managed without detriment to operations.

References:
https://cyberscoop.com/google-threat-intelligence-group-ransomware-report-2026/