This discovery represents a new approach to ransomware attacks. Typically, ransomware tools encrypt the files on a victim’s device until they pay a ransom. However, as cybersecurity companies release more sophisticated tools that can unfurl the grip of ransomware encryption, it seems cybercriminals are taking a different approach. Evidence of this new functionality in ransomware malware may also indicate that business relationships between ransomware operators and affiliates are changing. “If one threat actor has its way, encrypting data may be on the way out. For them, corrupting data is all the rage,” Stairwell tweeted last week.
‘Data Destruction Functionality’
Stairwell and Cyderes researchers found the new functionality in a tool used by the BlackMatter ransomware group. “[This] is a .NET executable designed for data exfiltration using FTP, sftp, and webDAV protocols, and contains functionality for corrupting the files on disk that have been exfiltrated,” the researchers explained. The data destruction functionality of Exmatter appears to be an experimental feature. This malware has been used since 2021, but this is the first time it has been found to siphon and corrupt the data on victims’ devices. The ingenious way the Exmatter tool corrupts files on victims’ devices is also worth noting. Once it successfully uploads the files to a server controlled by the threat actor, the tool randomly copies bits of data from a file and uses it to overwrite and corrupt other files. “The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers, as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them,” the researchers noted.
Shifting Business Relationships
This finding may also indicate that ransomware threat actors are moving away from working with RaaS (Ransomware-as-a-Service) operators like BlackCat/ALPHV. Ransomware operators like BlackCat usually require around 15 to 30 percent commission from affiliates who conduct attacks. High-profile hacking groups like BlackMatter have lost out on payments from ransomware attacks due to free decryptors — like No More Ransom — that help victims regain access to their data. The updated Exmatter malware shows that affiliates want to keep 100% of the profits from ransomware attacks. Ransomware attackers now want to eliminate the possibility of losing out on successful intrusions, which may indicate they are severing ties with RaaS services. Novel data destruction modules “marks a shift in data ransom and extortion tactics,” the study said. “These factors culminate in a justifiable case for affiliates leaving the RaaS model to strike it out on their own, replacing development-heavy ransomware with data destruction,” the study said. Stairwell noted that Exmatter’s new functionalities points to the fact that “data extortion actors are likely to continue experimenting with data exfiltration and destruction with increasing prevalence.” For more information about how ransomware attacks work and how to protect yourself, check out our guide to ransomware.
