Ransomware hackers are experimenting with a new type of attack that, instead of encrypting data, destroys it outright. The goal is to prevent victims from recovering their data if they do not pay the ransom.
Ransomware is one of the biggest cybersecurity problems facing the world today, and although many victims refuse to give in to the extortion, many feel they have no choice but to pay for a decryption key.
But according to cybersecurity researchers from Cyderes and Stairwell, at least one ransomware group is testing “data destruction” attacks.
Also: The Scary Future of the Internet: How Tomorrow’s Technology Will Pose Even Greater Cybersecurity Threats
This would be dangerous for ransomware victims because while it is often possible to recover encrypted files without paying a ransom, the threat of servers being completely corrupted if extortion demands are not met could cause more victims to give in .
Indicators of a potential new tactic were discovered when cybersecurity analysts responded to a BlackCat ransomware attack – also known as ALPHV.
BlackCat has been responsible for a series of ransomware incidents around the world, but ransomware criminals are always looking for new ways to make attacks more effective – and it looks like they’re testing a new strategy with software. malware that destroys data.
The data destruction is tied to Exmatter, a .NET exfiltration tool that has been used in previous BlackMatter ransomware attacks. It is widely suspected that BlackCat is a rebrand of BlackMatter – which in turn was a rebrand of Darkside, the ransomware operation behind the Colonial Pipeline attack.
In previous ransomware attacks, Exmatter has been used to take specific file types from selected directories and upload them to attacker-controlled servers before the ransomware is run on the compromised systems and the files are encrypted – attackers demanding payment for the key.
However, analysis of the new Exmatter sample used in a BlackCat attack suggests that instead of encrypting files, the exfiltration tool is instead used to corrupt and destroy files.
Also: These are tomorrow’s cybersecurity threats you should be thinking about today
There are several reasons why cybercriminals might experiment with this new tactic. First, the threat of destroying data rather than encrypting it could further incentivize attack victims to pay.
“Eliminating the data encryption step speeds up the process and eliminates the risk of not getting full payment, or of the victim finding other ways to decrypt the data,” the Cyderes researchers warn.
Moreover, the development of destructive malware is less complex than the design of ransomware. Therefore, using data destruction attacks could take less resources and time, providing attackers with greater profits.
“Creating stable and robust ransomware is a much more development-intensive process than creating malware designed to corrupt files, rent a large server to receive exfiltrated files, and resend them after payment,” Daniel said. Mayer, threat researcher at Stairwell.
“Extortion actors will likely continue to experiment with data exfiltration and destruction with increasing prevalence,” Mayer added.
Ransomware and malware attacks can be extremely damaging, but businesses can take steps to make their networks more robust and protect themselves against attacks.
These include applying timely security patches and updates to prevent hackers from exploiting known vulnerabilities to launch attacks, as well as ensuring that multi-factor authentication is deployed across the network to help protect users.