Data destruction is rumoured to be where ransomware is going to go, but we haven't seen it in the wild…until now. During a recent incident response, global managed cyber defence and response provider Cyderes and innovative inception platform Stairwell discovered signs that threat actors are actively in the process of staging and developing this capability.

From big game hunting (BGH) to the growth of ransomware-as-a-service (RaaS) and data leak sites (DLS), the data extortion landscape is constantly evolving and experiencing new innovations from threat actors. Could the data extortion tactics of tomorrow turn to outright data destruction, in lieu of RaaS deployment?

FAMILIAR TOOL, NEW TACTIC
Cyderes Special Operations and Stairwell Threat Research teams discovered a sample of malware whose exfiltration behaviour aligns closely with previous reports of Exmatter, a .NET exfiltration tool. This sample was observed in conjunction with the deployment of BlackCat/ALPHV ransomware, which is allegedly run by affiliates of numerous ransomware groups, including BlackMatter. "Exmatter actually takes the ransomware game to a whole different level," says Robert Herjavec, CEO of Cyderes. "In the past, they'd get into your network, and they'd say, 'if you don't pay us, we're going to leak some data'.

Now they go in, put an envelope around your data and, if you don't pay them, they start destroying it. It's frightening."

Cyderes explains the sequence of events as follows. Exmatter is designed to take specific file types from selected directories and upload them to attacker-controlled servers before the ransomware itself is executed on the compromised systems. In this particular sample, the attacker attempts to corrupt files within the victim's environment, rather than encrypting them, and stages the files for destruction.

First, the malware iterates over the drives of the victim machine, generating a queue of files that match a hardcoded list of designated extensions. Files matching those file extensions are added to the queue for exfiltration, which are then written to a folder with the same name as the victim machine's hostname on the actor-controlled server.

As files upload to the actor-controlled server, the files that have been successfully copied to the remote server are queued to be processed by a class named Eraser. A randomly-sized segment starting at the beginning of the second file is read into a buffer and then written into the beginning of the first file, first overwriting it and then corrupting the file.

The development of capabilities to corrupt exfiltrated files within the victim environment marks a shift in data ransom and extortion tactics. Using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers. Additionally, copying file data from one file to another is a much more benign functionality than sequentially overwriting files with random data or encrypting them.

WHY DESTROY DATA, RATHER THAN ENCRYPT IT?
With data exfiltration now the norm among threat actors, developing stable, secure and fast ransomware to encrypt files is a redundant and costly endeavour, compared to corrupting files and using the exfiltrated copies as the means of data recovery.

"Today, we detect ransomware attacks based on certain behaviours that we see - that might be encrypting files, that might be deleting volume shadow files, or some-thing similar," says Mike Wyatt, chief security officer at Cyderes. "But one thing we may not be looking for is data that's actually just being overwritten or corrupted. By overwriting data, a threat actor is able to achieve his goals faster. Unfortunately, it damages the files, rather than giving the victim the opportunity to pay for a decryption key."

Another possible reason for this new tactic, which involves overwriting one legitimate file with another, is because EDR and other behavioural detections are getting better, explains Daniel Mayer, threat researcher at Stairwell, a company that helps organisations with security solutions and strategic partner to Cyderes. "Opening every file on a computer and just writing a bunch of data is suspicious; it looks like ransomware. There aren't a lot of executables that look like that. But opening one file and copying its contents to another? That's something that legitim-ately happens on computers all the time. It's a muddy indicator."

Affiliates have also lost out on profits from successful intrusions, due to exploit-able flaws in the ransomware deployed, as was the case with BlackMatter, the ransomware associated with previous appearances of this .NET-based exfiltration tool. Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full pay-out or that the victim will find other ways to decrypt the data.

GET THE INSIDE LOOK
Artifacts within the sample indicate that the development of Exmatter is ongoing. Due to the nascent nature of the data destruction functionality within Exmatter, the Cyderes Special Operations and Stairwell Threat Research teams assess that data extortion actors are likely to continue experimenting with data exfiltration and destruction.

The potential business impact of this new threat is indeed great, adds Cyderes, and reinforces organisations' focus on detection, response and recovery, "the critical defence-in-depth needed to prevent threat actors from getting in".

How does Cyderes equip its clients with the tactics and tools they need to make sure they have the latest intelligence every day? "It's an information game," says Shelby Kaba, director of special operations at Cyderes. "We have several products that go out in the form of a Daily Intelligence Digest for our customers, an annual State-of-Ransomware Report, and topical blogs written by our threat intelligence team and other thought leaders. Staying informed goes a long way."

For a more in-depth analysis, Cyderes collaborated with Stairwell, which expands Cyderes' 360-degree detection capabilities with its Inception platform. You can read the full research report at: https://stairwell.com/news/threat-research-report-exmatter-future-of-data-extortion