Ransomware gangs are planning on trying out a new tactic, and it involves the destruction of the victims’ data.
Targeting the data
Researchers from Symantec, Cyderes and Stairwell have recently analyzed a new version of the Exmatter data exfiltration tool and have spotted a new capability: data corruption.
Used in conjunction with multi-platform ALPHV (aka BlackCat, aka Noberus) ransomware, this Exmatter sample takes specific file types from selected directories and uploads them to attacker-controlled servers. Then, before the ransomware is executed, it corrupts them.
“The files that have been successfully copied to the remote server are queued to be processed by a class named Eraser. A randomly sized segment starting at the beginning of the second file is read into a buffer and then written into the beginning of the first file, overwriting it and corrupting the file,” Cyderes researchers explained.
But, according to Daniel Mayer, a threat researcher at Stairwell, the capability is still being developed and might not function as intended.
“There is no mechanism for removing files from the corruption queue, meaning that some files may be overwritten numerous times before the program terminates, while others may never have been selected,” he explained.
Also, “The function that instantiates the Eraser class, named Erase, does not appear to be fully implemented and does not decompile correctly.”
Why are ransomware gangs thinking about destroying victims’ data?
We may be witnessing the beginning of a new shift in how ransomware gangs aim to force victims to pay up.
First there was the so-called police ransomware (or lockers), which often did not encrypt files on the infected device but just blocked its screen and asked for money to be paid to the “police.”
Ransomware with encryption capabilities followed, and then came:
- Double extortion (encryption + data exfiltration and the threat of data leaking, either on the dark web or the public internet)
- Triple extortion (encryption + data exfiltration and the threat of data leaking + DDoS attack aimed at disrupting targets’ services)
- The no-encryption approach + offer to share information on how the target was breached
This latest approach of corrupting data and asking for money to return it to the victim might work in some cases, especially if the victim organization does not have a good plan to recover from data loss or does not follow data backup best practices.
But, according to Mayer, this approach has other advantages.
“Creating stable, robust ransomware is a far more development-intensive process than creating malware designed to corrupt the files instead, renting a large server to receive exfiltrated files and returning them upon payment,” he noted.
Also, if the data is destroyed on victims’ systems, the attackers have the only copy of the victim’s files. The files can’t be restored or decrypted due to exploitable flaws in the ransomware.
Finally, “for each extorted payment received, the operator would retain 100% of the ransom payment, as opposed to paying a percentage to the RaaS developers.”
It remains to be seen if these advantages will tip the scales from ransomware to data theft and destruction – for some attackers, at least.