Ransomware began many years ago as scams where users were tricked into paying fictitious fines for allegedly engaging in illegal online behavior or, in more serious cases, were blackmailed with compromising videos taken via their webcams. by malware. The threat has since come a long way, moving from consumers to businesses, adding threats of data leakage to the side and sometimes distributed denial of service (DDoS) blackmail.
The attacks have become so widespread that they now affect all types of organizations and even entire national governments. The cyber criminal groups behind them are well organized, sophisticated and even innovative, always coming up with new extortion techniques that could earn them more money. But sometimes the best way to get something is not complexity but simplification and that seems to be the case in new attacks observed by researchers from security firms Stairwell and Cyderes where known ransomware actors have chosen to destroy files instead of encrypting them.
Exmatter data exfiltration tool gets a makeover
Cyderes investigated a recent attack that involved a threat actor suspected of being affiliated with BlackCat/ALPHV ransomware as a service (RaaS) operation. Researchers found a data exfiltration tool called Exmatter which is known to be used by BlackCat and BlackMatter affiliates.
RaaS affiliates are individuals or groups of hackers who break into organizations and then deploy a ransomware program for a large portion of the profit from any ransom paid. Ransomware operators take over and handle the ransomware negotiation with the victim, payment instructions and data decryption. Affiliates are essentially external contractors for RaaS operators.
In recent years, it has become common for ransomware affiliates to dub and steal data from compromised companies in addition to encrypting it. They then threaten to publish or sell them. It started out as another method to force ransom payments, but data leak extortion can also happen on its own without the ransomware component.
Exmatter is a tool written in .NET that allows attackers to scan the victim computer’s drives for files with certain extensions, then upload them to a server controlled by the attacker in a unique directory created for each victim. The tool supports multiple exfiltration methods, including FTP, SFTP, and webDAV.
Cyderes sent the Exmatter sample they found during their investigation to Stairwell for further analysis, which determined it had new features compared to the other versions.
“There is a class defined in the sample named Eraser that is designed to run concurrently with the Sync routine,” the Stairwell researchers said in a report. “As Sync uploads files to the actor-controlled server, it adds the files that were successfully copied to the remote server to a queue of files for Eraser to process.”
The way the Eraser function works is that it loads two random files from the list into memory, then copies a random chunk from the second file to the beginning of the first file overwriting its original contents. This does not technically erase the file but rather corrupts it.
The researchers believe that this feature is still under development because the command that calls the Eraser function is not yet fully implemented and the function code still has some inefficiencies. Since the selected block of data is random, it can sometimes be very small, which makes some files more recoverable than others. Also, files are not removed from the queue after being overwritten, meaning this process can be repeated multiple times on the same file.
Data Corruption vs Encryption
Why destroy files by overwriting them with random data instead of deploying ransomware to encrypt them? At first glance, it looks like similar file manipulation operations. Encrypting a file involves overwriting it, one block at a time, with seemingly random data – the ciphertext. However, there are ways to detect these cryptographic operations when performed in large succession, and many endpoint security programs can now detect when a process is exhibiting this behavior and can stop it. Meanwhile, the type of file overwriting performed by Exmatter is much more subtle.
“Using legitimate file data from the victim machine to corrupt other files can be a technique to avoid heuristic ransomware and wiper detection, because copying file data from one file to another is a much more benign feature than sequentially overwriting files with random data or encrypting them,” the Stairwell researchers explained.
Another reason is that file encryption is a more intensive task that takes longer. It’s also much more difficult and expensive to implement file-encrypting programs — which ransomware essentially is — without bugs or flaws that researchers could exploit to reverse the encryption. There have been many cases over the years where researchers have found weaknesses in ransomware encryption implementations and were able to release decryptors. This is what happened to BlackMatter, the RaaS operation that the Exmatter tool was originally associated with.
“With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly undertaking compared to file corruption and the use of exfiltrated copies. as a means of data recovery,” Cyderes researchers said in an opinion.
It remains to be seen if this is the start of a trend where ransomware affiliates are moving to data destruction instead of encryption, ensuring that the only copy is in their possession, or if it is just of an isolated incident where BlackMatter/BlackCat affiliates want to avoid the mistakes of the past. However, data theft and extortion attacks involving destruction are not new and have become widespread in the cloud database space. Attackers have been hitting unprotected S3 buckets, MongoDB databases, Redis instances, ElasticSearch indexes for years, deleting their contents and leaving ransom notes behind, so it wouldn’t be surprising to see this passage as well to on-site systems.
Copyright © 2022 IDG Communications, Inc.