New ransomware tool uses unique tactics to corrupt data
Threat actors are now updating the data exfiltration tool Exmatter with a unique data corruption feature, which attackers could switch to perform ransomware attacks in the future.
The new unique data corruption feature was discovered by malware analysts working with Cyderes Special Operations Team during a recent incident response.
Basically, this tactic involves the use of data from an exfiltrated file to damage another file. Security researchers believe that it is an attempt to bypass ransomware or wiper heuristic-based detection, which could be triggered if randomly generated data are used.
“As files upload to the actor-controlled server, the files that have been successfully copied to the remote server are queued to be processed by a class named Eraser. A randomly sized segment starting at the beginning of the second file is read into a buffer and then written into the beginning of the first file, overwriting it and corrupting the file,”
Researchers believe that the new tool will change the strategy that is used by ransomware affiliates. Ransomware operations have been running for a long time as Ransomware-as-a-Service, which means that operators/developers are responsible for developing the ransomware, payment site, and handling negotiations, while affiliates join to break corporate networks, steal data, delete backups and encrypt devices.
However, the structure puts affiliates at a disadvantage. Ransomware operations introduce bugs that allow security researchers to create decryptors that can help victims to recover files for free.
Although payment agreement means that the ransomware operators receive between 15-30%, while affiliates receive the rest, the affiliates lose in cases where security researchers create a decryptor, all potential revenue, which they would have received as part of a ransom payment.
With the new data corruption feature, however, a shift could arise from traditional ransomware attacks, in which data is stolen and then encrypted, to attacks, in which data is stolen and then deleted or damaged.
The method allows affiliates to keep all revenue from an attack since they do not have to share a percentage with the encryption developer.
The sources for this piece include an article in BleepingComputer.