Before 2020, data exfiltration (MITRE:TA0010 3 ) was more commonly associated with nation-state attacks and banking Trojans. A study published in December 2019 analyzed 80 ransomware families to identify the most common MITRE ATT&CK tactics they use, but also presented what tactics were uncommon among ransomware gangs 4 . One ofthe tactics that stood out in its absence was Exfiltration (TA0010). The research mentioned that this was probably since the ultimate goal of ransomware groups was to encrypt the victim’s files and use it as leverage to convince the victim to pay. The research also speculated that exfiltration is more common among other types of malware and threat actors, such as banking Trojans, whose operators exfiltrate credit card data, personally identifiable information (PII) and other financial information they could later leverage for their own profit, or nation-state actors who exfiltrate sensitive data as part of cyber-espionage campaigns. And yet, this changed in November 2019, when the notorious Maze ransomware gang, who started its operations in May 2019 (and had since already shut down), threatened to publicly release unencrypted data they exfiltrated from one of their victims, Allied Universal, before encrypting their files, if the victim would fail to pay the ransom demand 5 . Eventually, Allied Universal did not pay the ransom and Maze released their data. The gang then set up their “Maze News” website, for publishing data of their victims that did not pay the ransom. Soon after that, other ransomware gangs adopted this tactic and launched their own data leaks sites for “embarrassing” and releasing the data of their non-paying victims https://www.carbonblack.com/blog/vmware-carbon-black-tau-threat-research-visualizing-ransomware-with-mitre/ 4. https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/ 5. https://attack.mitre.org/tactics/TA0010/ 3. 8 | The Ransomware Landscape