Data Exfiltration in Ransomware Attacks: Digital Forensics Primer for Lawyers

Nearly 80 percent of all ransomware attacks in the first half of 2021 involved the threat of leaking exfiltrated data. Exfiltration is a popular pressure tactic as it introduces the threat to publish stolen sensitive data to a threat actor extortion website if a ransom payment is not received. Our team currently tracks over 40 threat actor extortion websites, with new sites belonging to new ransomware groups emerging each week.

With exfiltration tactics growing in popularity and sophistication, and with its consequences potentially leading to costly regulatory and reputational damage, it’s imperative that lawyers are abreast of how such attacks are investigated and how to efficiently partner with digital forensics professionals to fully understand the real scope of incident.

Exfiltration is not always a “smoking gun” in an environment and often relies on what can be called circumstantial evidence. The best evidence to “see” the data leave the environment would be from the network layer, typically from firewall logs. Firewall logs allow forensic examiners to determine where the data was flowing to (egress IP), and size or number of bytes that were being transferred in or out of the network. There are a few issues, however, to be aware of with these logs:

• Limited visibility into what left the system. (That is, sometimes it’s not possible to tell if it is a vacation photo from 2019 or a very sensitive secret file.)
• Logs typically roll over every few days or weeks so often forensic examiners may not have as much history or enough visibility to examine the incident, depending on the attack timeframe. (This also reinforces the need to engage an incident response team as fast as possible.)
• In an encryption event, which typically follows exfiltration in most ransomware attacks, often firewall log data is encrypted if it is being saved/stored in the network. Forensic investigators must then rely on other artifacts to piece together the story of exfiltration in a client network.

Laptops, workstations and other user-controlled devices can also provide a potential source to investigate exfiltration attacks. Forensic investigators can create a baseline of the environment to understand what can be considered normal vs. abnormal given standard or consistent work patterns. Patterns such as a user logging into the system from a different country, at an unusual time of day, can then point to other red flags. Below are some of the fact patterns examiners review to determine if a host may be at risk of exfiltration:

• File access indicative of an interest in data.
  • This usually can be determined based on time stamps and how long it’s taken between file traversal activities.
  • It is important to know if this is occurring before or after encryption, although it is not abnormal to see after encryption to ensure the malware worked to lock the files.
• Broad searches on the host for files with keywords like “sensitive,” “confidential,” “financial,” “accounting” or “HR".
  • Attackers come into environments and specifically look for information of perceived value. Whether it be financial statements that help justify the ransom amount, or sensitive data to threaten an organization of the reputational damage they will endure if published on their threat actor extortion website.
• File and folder staging by the threat actor (especially in a central location).
  • Staging is when a threat actor groups files and folders before compressing them. Compression makes them much smaller in size, expediting exfiltration.
• Access by the threat actor to file sync tools such rClone, MEGAsync, Total Commander, etc. These are tools for copying data from an environment into external cloud storage.
• Access by the threat actor to file sync sites such as Dropbox, Sendspace, Google Drive, etc.

Cloud storage websites where data can be uploaded and synced to for access anywhere (including the attacker’s computer).

When deciding whether a host is at risk or not, we typically need to see a combination of the above fact patterns to give a degree of confidence on whether exfiltration occurred or not. The more hits on the fact patterns, the higher the degree of confidence.

Unfortunately, there is a caveat because some groups are sophisticated enough to use advanced threat frameworks, such as Metasploit, Cobalt Strike or Empire in their attack. These frameworks run on memory and write very little to disk, minimizing the footprint of the attack and creating additional obstacles for forensic investigators. However, such tools do not have user-friendly interfaces to allow attackers to easily view files and folders prior to exfiltration, which usually gives examiners enough clues.

If your client is involved in an incident where exfiltration seems to have occurred, consider the following tips to protect the integrity of your investigation and maximize the impact of your digital forensics team:

• Prioritize Data Preservation
  Firewall logs are often one of the first things requested by examiners due to their short retention length and how important they can be in confirming exfiltration in a network. Additional logs of importance are VPN, IDS/IPS, antivirus, endpoint detection agents and more.
• Preserve your Endpoints
  Do not roll back or restore endpoints until a forensic examiner is consulted.
• Share the Data Map
  Provide the incident response team with information, ideally in a data map, on where your sensitive data is stored in the network. If the threat actors have provided any indication of what data they exfiltrated, consider where in the network that information resides and inform the forensic investigators.

If you are dealing with an exfiltration incident, consider the following questions for your forensic examiner:

In your experience with the threat actor group do they exfiltrate data or is there language alluding that they exfiltrated data from the environment.

• Are you seeing an interest in the data from the threat actor?
  • Any searches for particular key words?
  • What type of files are they accessing if any?
• Is there evidence of file and folder staging in the network?
• Have any cloud repositories or file transfer tools been discovered throughout the environment? a. Legitimate tools should also be clarified with the IT team to prevent false positives.
• Were there any gaps in visibility due to log retention or remediation efforts?
  • If missing specific hosts, confirm that there was no manual access or evidence of manual access to suggest they might be at risk.
• Are there any tools the attacker is using that could impact forensic visibility?

Exfiltration attacks can lead to complex investigations, reinforcing the need for tighter collaboration between corporate and external counsel with in-house and outside incident response investigators.

The outline provided here should help counsel better understand the key steps in the investigation, but it’s highly recommended to review log coverage, retention policies and rehearse exfiltration incidents in specific tabletop exercises to build the right behaviors in the event of a real attack.

This article was originally published by The Lawyer's Daily, (www.thelawyersdaily.ca) a division of LexisNexis Canada.