Before 2020, data e åfltration (MITRE:TA0010 3 ) was more commonly associated with nation-state attacks and banking Trojans. A stud published in December 2019 anal ed 80 ransom are families to identif the most common MITRE ATT&CK tactics the use, but also presented what tactics were uncommon among ransomware gangs 4 . One of the tactics that stood out in its absence as E åfltration (TA0010). The research mentioned that this was probably since the ultimate goal of ransomware groups was to encr pt the ictim’s åfles and use it as le erage to con ince the ictim to pa . The research also speculated that e åfltration is more common among other t pes of mal are and threat actors, such as banking Trojans, hose operators e åfltrate credit card data, personall identiåfable information (PII) and other åfnancial information the could later le erage for their o n proåft, or nation-state actors ho e åfltrate sensitive data as part of cyber-espionage campaigns. And et, this changed in No ember 2019, hen the notorious Ma e ransom are gang, ho started its operations in Ma 2019 (and had since alread shut do n), threatened to publicl release unencr pted data the e åfltrated from one of their ictims, Allied Uni ersal, before encr pting their åfles, if the ictim ould fail to pa the ransom demand 5 . E entuall , Allied Uni ersal did not pa the ransom and Ma e released their data. The gang then set up their “Ma e Ne s” ebsite, for publishing data of their victims that did not pay the ransom. Soon after that, other ransomware gangs adopted this tactic and launched their own data leaks sites for “embarrassing” and releasing the data of their non-paying victims https:// .carbonblack.com/blog/ m are-carbon-black-tau-threat-research- isuali ing-ransom are- ith-mitre/ 4. https:// .bleepingcomputer.com/ne s/securit /ma e-ransom are-is-shutting-do n-its-c bercrime-operation/ 5. https://attack.mitre.org/tactics/TA0010/ 3. 8 | The Ransomware Landscape