Ransomware started out many years as scams where users were being tricked into paying fictitious fines for allegedly engaging in illegal online behavior or, in more serious cases, were blackmailed with compromising videos taken through their webcams by malware. The threat has since come a long way, moving from consumers to enterprises, adding data leak threats on the side and sometimes distributed denial-of-service (DDoS) blackmail.
The attacks have become so widespread that they now impact all types of organizations and even entire national governments. The cybercriminal groups behind them are well organized, sophisticated, and even innovative, always coming up with new extortion techniques that could earn them more money. But sometimes, the best way to achieve something is not to complexity but to simplify and this seems to be the case in new attacks seen by researchers from security firms Stairwell and Cyderes where known ransomware actors opted to destroy files instead of encrypting them.
Exmatter data exfiltration tool gets an upgrade
Cyderes investigated a recent attack that involved a threat actor believed to be an affiliate of the BlackCat/ALPHV ransomware-as-a-service (RaaS) operation. The researchers found a data exfiltration tool dubbed Exmatter that’s been known to be used by BlackCat and BlackMatter affiliates.
RaaS affiliates are individuals or groups of hackers who break into organizations and then deploy a ransomware program for a large share of the profits from any ransom paid. The ransomware operators take over from there and handle the ransomware negotiation with the victim, payment instructions and data decryption. Affiliates are essentially external contractors for RaaS operators.
In recent years it has become common for ransomware affiliates to double down and steal data from compromised companies in addition to encrypting it, They then threaten to release it publicly or sell it. This started as an another method to force ransom payments, but data leak extortion can also happen on its own without the ransomware component.
Exmatter is a tool written in .NET that allows attackers to scan the victim computer’s drives for files with certain extensions and then upload them to an attacker-controlled server in a unique directory created for every victim. The tool supports several exfiltration methods including FTP, SFTP, and webDAV.
Cyderes sent the Exmatter sample they found during their investigation to Stairwell for additional analysis, who determined that it had new functionality compared to other versions.
“There is a class defined within the sample named Eraser that is designed to execute concurrently with the routine Sync,” the Stairwell researchers said in a report. “As Sync uploads files to the actor-controlled server, it adds files that have been successfully copied to the remote server to a queue of files to be processed by Eraser.”
The way the Eraser function works is that it loads two random files from the list into memory and then copies a random chunk from the second file to the beginning of the first file overwriting its original contents. This doesn’t technically erase the file but rather corrupts it.
The researchers believe this feature is still being developed because the command that calls the Eraser function is not yet fully implemented and the function’s code still has some inefficiencies. Since the selected data chunk is random, it can sometimes be very small, which makes some files more recoverable than others. Also, files are not taken out of the queue after being overwritten, which means this process could be repeated on the same file numerous times.
Data corruption vs encryption
Why destroy files by overwriting them with random data instead of deploying ransomware to encrypt them? At a first glance these seem like similar file manipulation operations. Encrypting a file involves overwriting it, one block at a time, with random-looking data — the ciphertext. However, there are ways to detect these encryption operations when done in great succession and many endpoint security programs can now detect when a process exhibits this behavior and can stop it. Meanwhile, the kind of file overwriting that Exmatter does is much more subtle.
“The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers, as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them,” the Stairwell researchers explained.
Another reason is that encrypting files is a more intensive task that takes a longer time. It’s also much harder and costly to implement file encryption programs — which ransomware essentially are — without bugs or flaws that researchers could exploit to reverse the encryption. There have been many cases over the years where researchers found weaknesses in ransomware encryption implementations and were able to release decryptors. This has happened to BlackMatter, the RaaS operation with which the Exmatter tool has been originally associated.
“With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavor compared to corrupting files and using the exfiltrated copies as the means of data recovery,” researchers from Cyderes said in an advisory.
It remains to be seen if this is the start of a trend where ransomware affiliates switch to data destruction instead of encryption, ensuring the only copy is in their possession, or if it’s just an isolated incident where BlackMatter/BlackCat affiliates want to avoid mistakes of the past. However, data theft and extortion attacks that involve destruction are not new and have been widespread in the cloud database space. Attackers have hit unprotected S3 buckets, MongoDB databases, Redis instances, ElasticSearch indexes for years, deleting their contents and leaving behind ransom notes so it wouldn’t be a surprise to see this move to on-premises systems as well.