Data-Stealing Malware and Modern Ransomware Extortion

The threat is bigger than encryption

Many people think ransomware only encrypts files. That is no longer enough to describe many modern incidents. Attackers may steal sensitive data before encryption. They may threaten to publish files, contact customers, or expose business records. This is why good backups are important but not the only control.

Common entry points

Attackers can enter through several paths. The most common paths are not always sophisticated.

• Phishing emails that steal passwords or deliver malicious attachments.
• Weak Remote Desktop Protocol (RDP) passwords or exposed remote access services.
• Unpatched VPN, firewall, server, website, or application vulnerabilities.
• Compromised admin accounts with reused passwords.
• Unsafe downloads, cracked software, fake updates, or malicious browser extensions.
• Third-party access from vendors, contractors, or unmanaged IT tools.

Credential theft comes first in many cases

Before encrypting files, attackers often try to steal credentials. They may collect browser passwords, cookies, access tokens, VPN credentials, email passwords, or remote access logins. With valid credentials, an attacker can look like a normal user.

This is why password managers, multi-factor authentication, account review, and session revocation are important. If an info stealer is suspected, changing only the Windows password may not be enough.

Weak RDP and exposed remote access

RDP is useful for remote administration, but exposed RDP with weak passwords is a serious risk. Attackers can try leaked passwords, password spraying, brute force, or stolen credentials. Once inside, they may disable security tools, copy data, and move to other systems.

RDP should not be exposed directly to the internet when avoidable. Use VPN, IP restrictions, MFA, strong passwords, account lockout, and monitoring.

Exploit-based access

Some incidents start with vulnerabilities in public-facing systems such as websites, VPN appliances, remote management panels, or file transfer systems. If the system is not patched, attackers may gain access without needing a user to click anything.

This is why patch management and website security scanning matter. A small business website can become an entry point if it uses outdated plugins, weak admin credentials, or unsafe components.

Data theft and pressure tactics

After gaining access, attackers may search for documents, customer records, financial files, identity documents, source code, contracts, or backups. They may compress and upload data before encryption. Later, they can use the stolen data as pressure.

The victim may receive threats such as “pay or we publish your data.” In some cases, attackers may contact customers, suppliers, or employees to increase pressure. This creates business, legal, and reputation risk.

Encryption is only one stage

Encryption may happen after reconnaissance, credential theft, data collection, privilege escalation, and backup deletion attempts. If responders only restore files without understanding the entry point, attackers may return.

A proper response should check accounts, remote access, backups, endpoint behavior, server logs, website risk, and security hardening.

Risk reduction checklist

These steps reduce the chance and impact of data-stealing malware and ransomware:

• Use MFA on email, remote access, cloud storage, and admin panels.
• Avoid exposing RDP directly to the internet.
• Patch Windows, servers, VPN tools, websites, plugins, and remote access software.
• Keep offline or versioned backups and test restore procedures.
• Use endpoint protection or EDR for business devices.
• Review admin accounts and remove unused access.
• Classify sensitive data and apply appropriate access control.
• Monitor unusual logins, large file transfers, and unknown remote sessions.

If your business is affected

Do not rush to wipe everything immediately. Preserve useful evidence such as ransom notes, suspicious emails, timestamps, file names, login records, and screenshots. Isolate affected systems when safe. Reset passwords from a clean device. Review cloud sessions and remote access.

For business incidents, incident response helps identify what happened, what data may be affected, how to recover, and how to reduce repeat attacks.

Related guides

• Ransomware prevention guide
• Cybersecurity checklist for Indonesian SMEs
• Incident response guide for small businesses