Ransomware data exfiltration detection and mitigation strategies

Ransomware data exfiltration detection and mitigation strategies

In November 2019, we reached a sad new milestone in the evolution of ransomware.

The cyber gang behind Maze – the same group responsible for the recent ransomware attack on Pensacola, Florida – followed through on its threats and published the data of its victim, Allied Universal, after the security staffing firm failed to meet the ransom payment deadline.

This is the first time that a ransomware group has stolen and published a significant quantity of its victims’ data. If the strategy proves to be more profitable than traditional encryption-only attacks, it is likely that exfiltration will become an increasingly common precursor to encryption.

In this article, we’ll discuss how data exfiltration works and what organizations can do to protect their data and their client’s sensitive information.

How does data exfiltration work?

Data exfiltration is the term used to describe the unauthorized transfer of data from a computer.

Gaining entry

To exfiltrate data, attackers first need to gain access to the target network. Some of the most common attack vectors include:


Once an attacker has gained a foothold on a network, exfiltrating data is a relatively straightforward process.

Exfiltration strategies can vary significantly in terms of scope. Attackers may steal files indiscriminately and process the data later; alternatively, exfiltration may be a careful and selective process in which attackers extract only high-value files.

Ransomware exfiltration

We expect exfiltration to become an increasingly common component in ransomware attacks. The exact method used by ransomware groups varies. For instance, the ransomware itself may not need to have exfiltration capabilities. Depending on the method used to gain network access, exfiltration can be as simple as attackers copying and pasting the files over RDP. Alternatively, attackers might run a script that uploads an entire drive to a remote location, or they may be more selective and write a simple application that looks for certain files in specific locations, and uploads them in a ZIP file to a remote server. In the case of the Maze attack, it’s believed that operators exfiltrated data using PowerShell to connect to a remote FTP server, with all affected files being automatically copied to the attackers’ server.

For ransomware groups, data exfiltration is a somewhat risky play. Stealing files takes time, bandwidth and server space. If the target notices something is amiss, they may be able to take steps to interrupt the attack before the threat actors can complete both the exfiltration and the encryption. This takes leverage away from the threat actors and could render the operation – which may have been weeks, months or even years in the making – a total failure.

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Experience effortless next-gen technology. Start Free Trial

Data exfiltration mitigation techniques

Preventing the initial point of compromise is favorable, of course, but organizations must operate under the assumption that their perimeter will be breached at some point and plan accordingly.

Given the extremely diverse needs of organizations and the wide range of technical methods used to exfiltrate data, it’s impossible to provide a definitive checklist for securing a company’s network.



Define responses: Many of the exfiltration detection systems mentioned in the previous section are capable of not only identifying suspicious activity but also responding to it. Depending on the situation, responses can be much more sophisticated than simply allowing or denying access. For example, a triggered intrusion detection system (IDS) could replace requested data transfer with decoy data, protecting the real files and giving administrators an opportunity to collect information about the threat.


As ransomware groups seek to obtain greater leverage over their victims, it’s likely that we’ll see more exfiltration events in the weeks and months ahead. Exfiltration strategies are varied and diverse; for organizations, this means there’s no one-size-fits-all solution to preventing data theft. Identifying suspicious activity on both overt and covert channels, defining and enforcing security policies and investing in systems that can respond intelligently to detected threats may be useful for reducing the risk of data exfiltration.



Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next