The unauthorized transfer of data from an organization to external attacker-controlled infrastructure — a critical step in double extortion ransomware attacks where stolen data is leveraged for additional payment pressure.
Data exfiltration is the unauthorized copying and transfer of data from a victim organization to infrastructure controlled by the attacker. In the ransomware context, exfiltration typically occurs in the days or hours before encryption deployment. Attackers identify and collect sensitive data — customer records, financial information, intellectual property, employee data, legal documents — and transfer it to their servers. This stolen data becomes leverage for double extortion: even if the victim can restore from backups, the attacker threatens to publish or sell the stolen data.
Exfiltration techniques vary in sophistication. Common methods include direct transfer to cloud storage (Mega, file sharing services), use of legitimate cloud sync tools (rclone is a ransomware operator favorite), transfer through established C2 channels, and staging data in compressed archives before transfer. Sophisticated attackers may exfiltrate data slowly over days to avoid triggering volume-based alerts, or they may use encryption and steganography to hide exfiltrated data within normal-looking traffic.
Preventing data exfiltration requires layered controls: Data Loss Prevention (DLP) tools that monitor and control data movement based on content classification, network monitoring for unusual outbound data transfers (large volumes, transfers to new destinations, transfers outside business hours), endpoint controls that restrict the use of cloud storage tools and USB devices, and network segmentation that limits which systems can communicate with the internet directly. Detection during the pre-encryption phase is a critical opportunity — if exfiltration is detected, the organization can contain the incident before encryption occurs.