Talion is a finalist for Best SIEM Solution for the 4th year in a row

Talion is a finalist for Best SIEM Solution for the 4th year in a row

Stop! Which Data Is Most At Risk From Ransomware? - Talion

Have you ever stopped to think about which areas of your business are most vulnerable; customer data, emails, operational documents?

No organisation wants to fall victim to ransomware or a data breach.

However, like the Crown Jewels at the Tower of London, some prized possessions are just worth more.

We’ve taken a look at what data cyber attackers prioritise, and therefore what areas require extra protection.


Data Breaches – How Do They Work?

A data breach is an incident where data is stolen, usually by cyber attackers, from a system or device without authorised consent. It is one of the biggest security violations for modern-day businesses and can arise from the simplest of mistakes, such as clicking a malicious link in an email.

Data breaches often occur due to vulnerabilities in technology or simple human error – either the systems aren’t up to speed, or employees aren’t receiving enough security training. If businesses don’t evaluate both of these areas on a regular basis, then they are at risk of falling short of security regulations, becoming exposed, and therefore placing an unintentional target on their back.

There have been data breaches targeting many well-known businesses over the years – the worst of which is said to be Yahoo when 500 million user accounts had been breached in a 2014 cyberattack, but this was only made public in 2016. Three months later, Yahoo came forward once again to identify another breach back in August 2013. Overall, it was estimated that 1 billion user accounts had been affected, which rose to 3 billion compromised accounts once the FBI became involved.

Sometimes, even ransomware groups themselves fall victim to data breaches, such as when Conti’s chat logs and ransomware source code were leaked to the public in February and March 2022. Many spoke of the group’s potential shut down after this data scare, ironically mirroring the companies they victimised – a taste of their own medicine, many would say.




Ransomware Attack Vs Data Breach – What’s The Difference?

With the myriad of different cybercriminal techniques across the technology space, it can be difficult to distinguish what’s what. If ransomware attacks also involve stealing data, then how do they differ from a data breach?

Typically speaking, the primary objective of a data breach is data theft – sensitive data is stolen with the intention of releasing to the public and ruining the reputation of the company. Whereas, with ransomware, data is stolen and encrypted as a leverage tactic to extract payment from the victim – it is kept on internal servers and not necessarily leaked or sold to the public. The primary objective of ransomware attacks is therefore monetary gain, regardless of whether or not it involves actual data theft.

However, more recently, the line between data breaches and ransomware is thinning.

A ransomware attack may lean into the territory of a data breach when sensitive data is exfiltrated before it’s encrypted with ransomware – in this case, the data is removed from the corresponding device and is completely in the hands of the cybercriminal. Not only does this give them greater control and more value to leverage with, but by leaking the data, they are making a name for themselves and claiming their spotlight amongst other ransomware gangs.

LockBit, for example, targeted the Canadian company Top Aces earlier this year and, following the ransomware attack, gave the company a deadline to pay the ransom before they would leak all 44GB of data they allegedly stole. There is often no way of knowing where the data will end up, and for this very reason, ransomware attacks often filter into data breaches when ransoms aren’t paid.

As a result, a lot of modern-day ransomware attacks are data breaches simultaneously – an even bigger threat to organisations as they are expected to both source a ransom fee, whilst claiming their data back and managing the downfall of their reputation.


What Data Do Cyber Attackers Prioritise?

When it comes to running a business, there’s lots of data involved, from operational documents to customer data, to email correspondence. Data is everything. Where would a cyber attacker begin?

We’ve taken a look at Rapid7’s Ransomware Data Disclosure Trends Report to discover what data categories are targeted most frequently by cyber attackers in specific industries and, therefore, what data needs extra protection.


Graph of Percentage Data Disclosure Per Category Per Industry


The graph shows that Finance & Accounting is the most sought-after data in the Healthcare and Pharmaceutical industries. Cybercriminals, therefore, seem to have the desire to monitor business transactions, perhaps to evaluate the success of the business in order to demand a ransom payment of “reasonable ask”.

It is no surprise that Customer & Patient data follows closely behind, what with sensitive health records being key documents for places like hospitals to run effectively and meet privacy requirements. A single healthcare record can also sell for $250 on the black market – a value that’s considerably higher than if a cyber attacker were trying to sell operational documents instead, for example.

The reason Customer & Patient Data hits the top spot for Financial Services is likely because private sector organisations depend heavily on the perceived trustworthiness of financial institutions; if cyber attackers release customer data, consumer trust would inevitably fall.

Whilst data categories such as Insurance and Operational Documents are significantly low, it’s interesting that they still remain an active target. Are some threat groups perhaps targeting all of a company’s data, rather than focusing on specific categories?



To protect your business at maximum capacity, it all starts with identifying your weaknesses.

Put yourself in the shoes of the cyber attacker – what data in your business would be most valuable to them?

Only then can you evaluate how best to protect your prized assets.

Get in touch with us to discuss your security challenges, or download our company brochure to find out more about how we can help you.

In the meantime, we’ll be over on LinkedIn as part of our #RansomAware campaign – come join us!


Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
24x7x365 UK-based Security Operations Centre
Service underpinned by market leading threat intelligence team
Continually developed threat relevant content, backed by SLAs
MDR service has featured in the Gartner Magic Quadrant for 6 consecutive years
Experts in SIEM and SOAR technology
UK-based Senior Leadership
Looking to maximise value and flexibility?
Learn how Talion and DEVO partner to achieve this.
Discuss your cyber security needs
Contact us below and one of our team will be in touch to answer your questions.

Call us on 0800 048 5775

Call us directly and we’ll put you in touch with the most relevant cyber expert.

Get In Touch With Us

Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.

CISO Cyber Dinner – Register Your Interest!

Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.