Exmatter, a data exfiltration malware previously associated with the BlackMatter ransomware group, is now being upgraded with data corruption functionality, which indicates a new tactic ransomware affiliates can utilize in future attacks. During a recent incident response following a BlackCat ransomware attack, the new sample was discovered by malware analysts with a special operations team. Even though affiliates have been using Exmatter since October 2021, it’s the first time the malicious tool was discovered with a destructive module. As files are uploaded to the threat actor-controlled server, those that have been successfully copied to the remote server are queued to be processed by a class called Eraser.
A randomly sized segment is read into a buffer and then written into the beginning of the first file, overwriting it and corrupting the file. Using data from one exfiltrated file to corrupt another file can be an attempt to avoid detection by ransomware or wiper heuristic-based detection, which can occur when using randomly generated data. According to threat researchers, Exmatter’s partially implemented data destruction capabilities are likely still developing for a few reasons:
- There’s no mechanism for removing files from the corruption queue, so some files can be overwritten multiple times before the program exits while others may never have been selected.
- The Erase function, which instantiates the Eraser class, doesn’t appear to be fully implemented and doesn’t decompile properly. The chunk length of the second file, which is used to overwrite the first, is determined at random and can be as short as one byte.
The data corruption feature is an intriguing development, and even though it can be used to evade security software, it can be a likely shift in ransomware affiliates’ strategy. Numerous ransomware operations utilize the Ransomware-as-a-Service (RaaS) model, with operators or developers creating the ransomware, payment site, and handling negotiations, while affiliates take part in breaching corporate networks, stealing data, deleting backups, and encrypting devices. The ransomware operators receive between 15-30% of any ransom payment as part of the agreement, and the affiliates receive the remaining percentage. However, in the past, ransomware operations have been known to introduce bugs that allowed security researchers to develop decryptors helping victims recover files for free. When it occurs, the affiliates can potentially lose revenue received from the ransom payments.
As a result, researchers believe that the new data corruption feature can signal a shift away from traditional ransomware attacks, wherein data is stolen and then encrypted, and toward attacks in which data is stolen and deleted or corrupted. Affiliates under this method will keep all the revenue generated by attacks because they don’t have to share a percentage with the encryptor developer. Additionally, affiliates lost profits from successful intrusions because of exploitable flaws in deployed ransomware. This was the case with BlackMatter, the ransomware associated with previous appearances of the .NET-based exfiltration tool. Destroying sensitive data after it has been exfiltrated to their servers will prevent it from happening and can serve as an extra incentive for victims to the ransom demands.
Removing the encrypting data step speeds up the process and eliminates the risk of not receiving the full payout or victims finding other ways to decrypt the data. Therefore, threat researchers are seeing exfiltration tools being upgraded with in-development data corruption capabilities, which can allow RaaS affiliates to remove the ransomware deployment component of their attacks and keep all the money for themselves. Additionally, threat operators can retain 100% of the ransom payment for each extorted payment received as opposed to paying the RaaS developers a percentage. These factors can add up to a compelling case for affiliates to abandon the RaaS model and strike out on their own, replacing development-heavy ransomware with data destruction.
With ransomware groups upgrading their extortion tactics to include data corruption capabilities, it’s important for companies to always remain alert to the current threat landscape and regularly update their data network infrastructure. At SpearTip, our certified engineers are continuously working at our 24/7/365 Security Operations Center monitoring companies’ data networks for potential ransomware threats. Our remediation experts focus on restoring companies’ operations, reclaiming their networks by isolating malware, and recovering their business-critical assets. Our ShadowSpear Platform, an integrable managed detection and response tool, delivers cloud-based solutions collection endpoint logs. ShadowSpear can detect sophisticated and advanced ransomware threats by using comprehensive insights through unparalleled data normalization and visualizations.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.