Everyday tools, extraordinary crimes: the ransomware exfiltration playbook

This report presents the Exfiltration Framework, a cross-platform, behavior-focused model that normalizes how legitimate OS, endpoint, and cloud-native tools are abused for data exfiltration. It emphasizes that attackers increasingly use trusted utilities (e.g., rclone, PowerShell, cloud CLIs) and cloud storage to evade IOC-based detections, highlights recurring patterns such as masquerading and low-and-slow transfers, and recommends correlating endpoint, network, and cloud telemetry and behavioral baselining for reliable detection.