Ransomware hackers are experimenting with a new kind of attack that, instead of encrypting data, outright destroys it. The aim is to make it impossible for victims to retrieve their data if they don’t pay the ransom.
Ransomware is one of the biggest cybersecurity issues facing the world today, and while many victims refuse to give in to the extortion, many feel they have no choice but to pay up for a decryption key.
But according to cybersecurity researchers at Cyderes and Stairwell, at least one ransomware group is testing ‘data destruction’ attacks.
This would be dangerous for ransomware victims because while it’s often possible to retrieve encrypted files without paying a ransom, the threat of servers being completely corrupted if extortion demands aren’t met could push more victims towards giving in.
The indicators of a potential new tactic were discovered when cybersecurity analysts responded to a BlackCat – also known as ALPHV – ransomware attack.
BlackCat has been responsible for a string of ransomware incidents around the world, but ransomware criminals are always looking for new ways to make attacks more effective – and it appears they’re testing a new strategy with malware that destroys data.
The data destruction is linked to Exmatter, a .NET exfiltration tool that has previously been used as part of BlackMatter ransomware attacks. It’s widely suspected that BlackCat is a rebrand of BlackMatter – which in turn was a rebrand of Darkside, the ransomware operation behind the Colonial Pipeline attack.
In previous ransomware attacks, Exmatter has been used to take specific file types from selected directories and upload them to attacker-controlled servers before the ransomware is executed on the compromised systems and the files are encrypted – with the attackers demanding payment for the key.
However, analysis of the new sample of Exmatter used as part of a BlackCat attack suggests that, instead of encrypting files, the exfiltration tool is instead used to corrupt and destroy files.
There are several reasons why cyber criminals might be experimenting with this new tactic. First, the threat of destroying data rather than encrypting it could provide an extra incentive for victims of attacks to pay up.
“Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data,” warn researchers at Cyderes.
Also, developing destructive malware is less complex than designing ransomware – therefore, using data destruction attacks could take less resources and time, providing attackers with greater profits.
“Creating stable, robust ransomware is a far more development-intensive process than creating malware designed to corrupt the files instead, renting a large server to receive exfiltrated files and returning them upon payment,” said Daniel Mayer, threat researcher at Stairwell.
“Extortion actors are likely to continue experimenting with data exfiltration and destruction with increasing prevalence,” Mayer added.
Ransomware and malware attacks can be extremely damaging, but there are steps that organisations can take to help make their networks more robust and protect against attacks.
These include applying security patches and updates in a timely manner to stop hackers from exploiting known vulnerabilities to launch attacks, along with ensuring that multi-factor authentication is rolled out across the network to help protect users.
MORE ON CYBERSECURITY