Ransomware affiliates appear to be dabbling with new data destruction capabilities in a bid to evade detection, increase their chances of getting paid and minimize the opportunities for the development of decryptor toolst.
A new report from US security companies Cyderes and Stairwell reveals analysis of Exmatter-like malware. Exmatter is a .NET-based exfiltration tool often used by BlackCat/ALPHV ransomware affiliates.
However, in this version of the tool, the attacker attempts to corrupt files in the victim’s system following exfiltration, rather than encrypt them as usual.
“First, the malware iterates over the drives of the victim machine, generating a queue of files that match a hardcoded list of designated extensions. Files matching those file extensions are added to the queue for exfiltration, which are then written to a folder with the same name as the victim machine’s hostname on the actor-controlled server,” Cyderes explained.
“As files upload to the actor-controlled server, the files that have been successfully copied to the remote server are queued to be processed by a class named ‘Eraser.’ A randomly sized segment starting at the beginning of the second file is read into a buffer and then written into the beginning of the first file, overwriting it and corrupting the file.”
There are several advantages to the affiliate group of using such tactics.
First, using legitimate file data to corrupt other files might appear more “plausibly benign” to security tools, and therefore helps to bypass heuristic-based detection for ransomware and wipers.
Second, if the group is able to exfiltrate all of a victim’s files and then corrupt the existing ones, they have more bargaining power when it comes to extortion. It means the affiliates have the only remaining copy, and would not need to pay the ransomware developers a cut of the ransom, as no encryption is used.
Third, they don’t need to worry about vulnerabilities in the ransomware code itself, which may otherwise allow defenders to build decryption tools.
“With such a robust copy of the victim business’s data collected, encrypting the same files on disk becomes a redundant, development-heavy task compared to data destruction,” argued Stairwell.
“These factors culminate in a justifiable case for affiliates leaving the RaaS model to strike it out on their own, replacing development-heavy ransomware with data destruction.”