When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Ransomware Groups Include Data Corruption Tactic for Extortion
Chris Swagler | October 4th, 2022
Exmatter, a data exfiltration malware previously associated with the BlackMatter ransomware group, is now being upgraded with data corruption functionality, which indicates a new tactic ransomware affiliates can utilize in future attacks. During a recent incident response following a BlackCat ransomware attack, the new sample was discovered by malware analysts with a special operations team. Even though affiliates have been using Exmatter since October 2021, it’s the first time the malicious tool was discovered with a destructive module. As files are uploaded to the threat actor-controlled server, those that have been successfully copied to the remote server are queued to be processed by a class called Eraser.
Details of Data Corruption Extortion Tactic
A randomly sized segment is read into a buffer and then written into the beginning of the first file, overwriting it and corrupting the file. Using data from one exfiltrated file to corrupt another file can be an attempt to avoid detection by ransomware or wiper heuristic-based detection, which can occur when using randomly generated data. According to threat researchers, Exmatter’s partially implemented data destruction capabilities are likely still developing for a few reasons:
There’s no mechanism for removing files from the corruption queue, so some files can be overwritten multiple times before the program exits while others may never have been selected.
The Erase function, which instantiates the Eraser class, doesn’t appear to be fully implemented and doesn’t decompile properly. The chunk length of the second file, which is used to overwrite the first, is determined at random and can be as short as one byte.
The data corruption feature is an intriguing development, and even though it can be used to evade security software, it can be a likely shift in ransomware affiliates’ strategy. Numerous ransomware operations utilize the Ransomware-as-a-Service (RaaS) model, with operators or developers creating the ransomware, payment site, and handling negotiations, while affiliates take part in breaching corporate networks, stealing data, deleting backups, and encrypting devices. The ransomware operators receive between 15-30% of any ransom payment as part of the agreement, and the affiliates receive the remaining percentage. However, in the past, ransomware operations have been known to introduce bugs that allowed security researchers to develop decryptors that help victims recover files for free. When it occurs, the affiliates can potentially lose revenue received from the ransom payments.
As a result, researchers believe that the new data corruption feature can signal a shift away from traditional ransomware attacks, wherein data is stolen and then encrypted, and toward attacks in which data is stolen and deleted or corrupted. Affiliates under this method will keep all the revenue generated by attacks because they don’t have to share a percentage with the encryptor developer. Additionally, affiliates lost profits from successful intrusions because of exploitable flaws in deployed ransomware. This was the case with BlackMatter, the ransomware associated with previous appearances of the .NET-based exfiltration tool. Destroying sensitive data after it has been exfiltrated to their servers will prevent it from happening and can serve as an extra incentive for victims to the ransom demands.
Removing the encrypting data step speeds up the process and eliminates the risk of not receiving the full payout or victims finding other ways to decrypt the data. Therefore, threat researchers are seeing exfiltration tools being upgraded with in-development data corruption capabilities, which can allow RaaS affiliates to remove the ransomware deployment component of their attacks and keep all the money for themselves. Additionally, threat operators can retain 100% of the ransom payment for each extorted payment received as opposed to paying the RaaS developers a percentage. These factors can add up to a compelling case for affiliates to abandon the RaaS model and strike out on their own, replacing development-heavy ransomware with data destruction.
With ransomware groups upgrading their extortion tactics to include data corruption capabilities, it’s important for companies to always remain alert to the current threat landscape and regularly update their data network infrastructure. At SpearTip, our certified engineers are continuously working at our 24/7/365 Security Operations Center monitoring companies’ data networks for potential ransomware threats. Our remediation experts focus on restoring companies’ operations, reclaiming their networks by isolating malware and recovering their business-critical assets. Our ShadowSpear Platform, an integrable managed detection and response tool, delivers cloud-based solutions collection endpoint logs. ShadowSpear can detect sophisticated and advanced ransomware threats by using comprehensive insights through unparalleled data normalization and visualizations.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
How can individuals or organizations protect themselves from ransomware groups that employ data corruption tactics?
Protecting against ransomware groups employing data corruption tactics requires a multi-layered approach. Implementing robust cybersecurity measures, such as regularly updating software and systems, using strong passwords, and employing firewalls and antivirus software, is crucial. Additionally, conducting regular data backups and storing them securely offline can help mitigate the impact of data corruption attacks. Seeking guidance from cybersecurity professionals and staying updated on the latest threats and prevention strategies can also aid in protection.
Are there any specific industries or sectors that are more likely to be targeted by ransomware groups using data corruption tactics?
Ransomware groups target a wide range of sectors, including healthcare, finance, education, and government. It is essential for organizations across all industries to prioritize cybersecurity and remain vigilant against data corruption tactics employed by ransomware groups.
What are the potential long-term consequences of data corruption attacks for businesses and their customers?
The long-term consequences of data corruption attacks can be severe for businesses and their customers. Beyond the immediate financial impact of paying ransoms or investing in recovery efforts, there can be reputational damage, loss of customer trust, and potential legal and regulatory implications. Additionally, data corruption attacks can disrupt business operations, leading to downtime, productivity losses, and potential intellectual property theft. The recovery process can be time-consuming, costly, and may not guarantee complete restoration of corrupted data.
Stay Connected With SpearTip
Inside the SOC Newsletter
View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
ShadowSpear Platform
Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
ShadowSpear Demo
Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.
