Home Malware Ransomware operators might be dropping file encryption in favor of corrupting files

Ransomware operators might be dropping file encryption in favor of corrupting files

Source Link

Ransomware started out many years as scams where users were being tricked into paying fictitious fines for allegedly engaging in illegal online behavior or, in more serious cases, were blackmailed with compromising videos taken through their webcams by malware. The threat has since come a long way, moving from consumers to enterprises, adding data leak threats on the side and sometimes distributed denial-of-service (DDoS) blackmail.

The attacks have become so widespread that they now impact all types of organizations and even entire national governments. The cybercriminal groups behind them are well organized, sophisticated, and even innovative, always coming up with new extortion techniques that could earn them more money. But sometimes, the best way to achieve something is not to complexity but to simplify and this seems to be the case in new attacks seen by researchers from security firms Stairwell and Cyderes where known ransomware actors opted to destroy files instead of encrypting them.

Exmatter data exfiltration tool gets an upgrade

Cyderes investigated a recent attack that involved a threat actor believed to be an affiliate of the BlackCat/ALPHV ransomware-as-a-service (RaaS) operation. The researchers found a data exfiltration tool dubbed Exmatter that’s been known to be used by BlackCat and BlackMatter affiliates.

RaaS affiliates are individuals or groups of hackers who break into organizations and then deploy a ransomware program for a large share of the profits from any ransom paid. The ransomware operators take over from there and handle the ransomware negotiation with the victim, payment instructions and data decryption. Affiliates are essentially external contractors for RaaS operators.

In recent years it has become common for ransomware affiliates to double down and steal data from compromised companies in addition to encrypting it, They then threaten to release it publicly or sell it. This started as an another method to force ransom payments, but data leak extortion can also happen on its own without the ransomware component.

Exmatter is a tool written in .NET that allows attackers to scan the victim computer’s drives for files with certain extensions and then upload them to an attacker-controlled server in a unique directory created for every victim. The tool supports several exfiltration methods including FTP, SFTP, and webDAV.

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment