New Research Shows Attackers Moving To Destroying Data

New research from Cyderes on Exmatter shows new data extortion techniques which destroy rather than encrypt data. The Cyderes Special Operations and Stairwell Threat Research teams found a new sample of malware whose exfiltration behavior ‘aligns closely with previous reports of Exmatter, a .NET exfiltration tool’. The sample was found during a recent incident response following a BlackCat ransomware attack.

Cyderes Special Operations and Stairwell Threat Research teams discovered a sample of malware whose exfiltration behavior aligns closely with previous reports of Exmatter, a .NET exfiltration tool. This sample was observed in conjunction with the deployment of BlackCat/ALPHV ransomware, which is allegedly run by affiliates of numerous ransomware groups, including BlackMatter.

Exmatter is designed to take specific file types from selected directories and upload them to attacker-controlled servers before the ransomware itself is executed on the compromised systems. In this particular sample, the attacker attempts to corrupt files within the victim’s environment rather than encrypting them and stages the files for destruction.

First, the malware iterates over the drives of the victim machine, generating a queue of files that match a hardcoded list of designated extensions. Files matching those file extensions are added to the queue for exfiltration, which are then written to a folder with the same name as the victim machine’s hostname on the actor-controlled server.

As files upload to the actor-controlled server, the files that have been successfully copied to the remote server are queued to be processed by a class named Eraser. A randomly sized segment starting at the beginning of the second file is read into a buffer and then written into the beginning of the first file, overwriting it and corrupting the file.

The development of capabilities to corrupt exfiltrated files within the victim environment marks a shift in data ransom and extortion tactics. Using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers. Additionally, copying file data from one file to another is a much more benign functionality than sequentially overwriting files with random data or encrypting them.

This is an interesting plot twist in terms of how cybercrime gangs like these operate. Dr. Darren Williams, CEO and Founder of BlackFog has this to say:

     “These days, few ransomware variants bother with encryption and almost exclusively rely on data exfiltration as a means to extort users and corporations. Data is the most valuable asset an organization has, as trade secrets, confidential customer and employee data that is subject to significant regulatory reporting. The disclosure alone can trigger some significant costs from a legal perspective in addition to the direct costs of recovery and remediation.”

This research is very much worth reading as I suspect other cybercrime gangs will copy and paste this.

Leave a Reply

%d bloggers like this: