HomeOperationsSecurityThe data security risks that Rubik solves

The data security risks that Rubik solves

Today’s biggest threats to data security include ransomware 2.0, data exfiltration, and credentials leaking. Ransomware 2.0 adds a dangerous layer by encrypting and exfiltrating data, giving attackers leverage to demand ransom for decryption and preventing data leaks. Data exfiltration has become a primary goal, with cybercriminals targeting and selling sensitive information on the dark web. The most common entry point for these attacks is compromised credentials, including weak, leaked, or stolen passwords, which allow attackers to easily access and exploit cloud environments, leading to significant data breaches.

This blog post will focus on understanding these threats and how Rubrik is developing tools to help overcome them. 

Z Lab reports on IT and security risks

Rubrik Zero Labs focuses on providing actionable insights to reduce data risks. It achieves this through its Z Labs reports, which analyze telemetry data and combine it with data from partners.

The fourth Z Labs report highlights critical data risk trends, particularly in the cloud and healthcare sectors, and the ongoing ransomware threat. Findings reveal that cloud environments are targeted more frequently and successfully than on-premises environments, primarily due to blind spots in existing security tools not optimized for cloud-based object storage. Additionally, due to their handling of highly sensitive data, healthcare organizations are at a heightened risk of data exfiltration attacks. Notably, despite earlier expectations that ransomware attacks would decline, the report found a 70% increase in these incidents year-over-year.

One significant statistic from the survey is that 94% of organizations experienced a major cyberattack in the past year, with an average of 30 significant malicious events reported to senior leadership, and 93% of those organizations had to file formal data loss notifications due to regulatory or sensitive data exposure.

The report underscores the urgent need for organizations to enhance their data protection strategies, particularly as cyber threats continue to evolve. This is not a future concern but a present necessity.

Understanding ransomware 2.0

Ransomware primarily involves data encryption, where attackers encrypt an organization’s data and demand a ransom for the decryption key. Now, with Ransomware 2.0, there’s an added layer of data exfiltration. Attackers encrypt and steal data, threatening to leak sensitive information on the dark web if the ransom isn’t paid.

This shift has made ransomware attacks more harmful and more likely to succeed. Even if an organization has backup and recovery capabilities to restore its data after encryption, the threat of sensitive data being exposed compels many to pay the ransom. Studies show that the likelihood of paying the ransom doubles when data exfiltration is involved, and the ransom amounts are often five times higher.

Ransomware attacks trends

Path of least resistance

One concerning trend is that even when organizations pay the ransom, some attackers still leak the stolen data, creating a situation where companies must trust criminals to uphold their word—a risky and unreliable scenario.

Attackers typically use the path of least resistance, focusing on acquiring access credentials rather than exploiting complex vulnerabilities. Today, the most common attack vector is compromised credentials—weak, leaked, or stolen passwords. This is especially prevalent in cloud environments, often accessible via the Internet. Attackers can easily gain access when credentials are exposed in places like Pastebin or GitHub.

Once attackers have credentials, they can log into an environment, bypass security measures like firewalls, and move laterally within the system, exfiltrating or encrypting valuable business data. One recent example of this vulnerability was a wave of Snowflake data exfiltration incidents due to a lack of basic security hygiene, like failing to enable multi-factor authentication (MFA) on sensitive data.

Low cost of acquiring data on the dark web

Another worrying trend is the low cost and ease of acquiring enterprise credentials on the dark web. Attackers use info-stealing campaigns to obtain browser-stored credentials and authentication cookies, allowing them to bypass MFA altogether. These credentials are sold for as little as $1 to $40, giving attackers easy access to environments where they can exfiltrate or encrypt data for ransom or other malicious purposes.

This includes both traditional login credentials (username and password) and non-human credentials, such as API keys, access tokens, and security certificates used for machine-to-machine communication. While it’s challenging to provide an exact split, there has been a notable shift in the architecture of systems. In the past, authentication was simpler, typically following a client-server model where users would authenticate into a centralized system. However, today’s distributed environments involve more machine identities and non-human credentials, which can be more challenging for IT and security teams to monitor.

Human identities tend to be more noticeable when breached in logs and system activity. However, non-human identities, like service accounts or API keys, are more opaque and challenge understanding their access and exposure. Attackers can exploit these identities to gain deeper access to an environment.

Software to steal

An example of a campaign like this would be using the Redline Info Stealer, a tool readily available for purchase at around USD 50. It’s a user-friendly software that even comes with customer support for those needing help. Attackers can deploy it to steal sensitive information from victims’ browsers, such as login credentials. This type of software is part of a more significant trend of ransomware-as-a-service (RaaS), where cybercriminals outsource ransomware attacks to specialized providers.

Prominent groups offering these services include LockBit, Black Basta, and BlackCat (ALPHV). These groups target high-profile enterprises and often post stolen data on leaked websites to gain notoriety, which increases their demand.

A bold example involved BlackCat, which, after exfiltrating data from a major U.S. organization, waited for the company to report the breach to the SEC, as required by new regulations. When the company failed to report, BlackCat contacted the SEC, disclosing the breach. This tactic shows how ransomware groups use regulatory threats to pressure organizations into compliance or payment.

Rubrik’s DSPM

Rubrik’s DSPM (Data Security Posture Management) links human or non-human identities to sensitive data to identify potential risk exposure. This helps identify a compromised credential’s “blast radius” and allows for implementing least-privilege access, ensuring that only necessary identities can access sensitive data. For instance, developers can be limited to only what they need, rather than allowed to access an entire production database. 

The DSPM tool handles identity management, mapping users, group access, and cloud roles to assigned permissions. This visibility allows organizations to implement least-privilege access, minimizing potential damage if an account is compromised by showing the “blast radius” of each user’s permissions across environments.

Additionally, Rubrik employs a generative AI tool called Ruby, designed to assist during data recovery processes in the event of an attack, such as ransomware. Ruby, a chatbot assistant, helps guide users through recovery steps, identifying safe data versions to restore and minimizing the time to return to normal operations without requiring expert knowledge of Rubrik’s systems.

This blog is based on the webinar with Filip Verloy, Field CTO EMEA & APJ, Rubrik. You can watch the full video here.

NEWSLETTER

Receive our top stories directly in your inbox!

Sign up for our Newsletters

spot_img
spot_img

LET'S CONNECT