From big game hunting (BGH) to the growth of ransomware-as-a-service (RaaS) and data leak sites (DLS), the data extortion landscape is constantly evolving and experiencing new innovations from threat actors.
Could the data extortion tactics of tomorrow turn to outright data destruction in lieu of RaaS deployment?
Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild. During a recent incident response, however, Cyderes and Stairwell discovered signs that threat actors are actively in the process of staging and developing this capability.
Familiar tool, new tactic
Cyderes Special Operations and Stairwell Threat Research teams discovered a sample of malware whose exfiltration behavior aligns closely with previous reports of Exmatter, a .NET exfiltration tool. This sample was observed in conjunction with the deployment of BlackCat/ALPHV ransomware, which is allegedly run by affiliates of numerous ransomware groups, including BlackMatter.
Exmatter is designed to take specific file types from selected directories and upload them to attacker-controlled servers before the ransomware itself is executed on the compromised systems. In this particular sample, the attacker attempts to corrupt files within the victim’s environment rather than encrypting them and stages the files for destruction.
First, the malware iterates over the drives of the victim machine, generating a queue of files that match a hardcoded list of designated extensions. Files matching those file extensions are added to the queue for exfiltration, which are then written to a folder with the same name as the victim machine’s hostname on the actor-controlled server.
As files upload to the actor-controlled server, the files that have been successfully copied to the remote server are queued to be processed by a class named Eraser. A randomly sized segment starting at the beginning of the second file is read into a buffer and then written into the beginning of the first file, overwriting it and corrupting the file.
The development of capabilities to corrupt exfiltrated files within the victim environment marks a shift in data ransom and extortion tactics. Using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers. Additionally, copying file data from one file to another is a much more benign functionality than sequentially overwriting files with random data or encrypting them.
Why destroy data rather than encrypt it?
With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavor compared to corrupting files and using the exfiltrated copies as the means of data recovery.
Affiliates have also lost out on profits from successful intrusions due to exploitable flaws in the ransomware deployed, as was the case with BlackMatter, the ransomware associated with previous appearances of this .NET-based exfiltration tool. Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data.
Get the Inside Look
Artifacts within the sample indicate that the development of Exmatter is ongoing. Due to the nascent nature of the data destruction functionality within Exmatter, the Cyderes Special Operations and Stairwell Threat Research teams assess that data extortion actors are likely to continue experimenting with data exfiltration and destruction.
For a more in-depth analysis, we collaborated with Stairwell, our strategic partner who expands our 360-degree detection capabilities with its Inception platform. Read the full research report Exmatter: Clues to the future of data extortion.
Take the first step in transforming your cybersecurity program
Enterprise security teams are adapting to meet evolving business needs. With six global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Cyderes is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.