Ransomware hackers are experimenting with a new type of attack that doesn’t encrypt data, but directly destroys it. The aim is to make it impossible for victims to access their data if they do not pay the ransom.
Ransomware is one of the biggest cybersecurity problems facing the world today and although many victims refuse to give in to the blackmail, many feel that they have no choice but to pay for a decryption key.
But according to cybersecurity researchers from Cyderes and Stairwell, at least one ransomware group is testing “data destruction” attacks.
Likewise: The Scary Future of the Internet: How Tomorrow’s Technology Will Pose Even Greater Cybersecurity Threats
This would be dangerous for ransomware victims because while it is often possible to retrieve encrypted files without paying a ransom, the risk of servers being completely damaged if ransomware demands are not met could induce more victims to give in.
The signs of a potential new tactic were spotted when cybersecurity analysts responded to a BlackCat ransomware attack – also known as ALPHV.
BlackCat has been responsible for a number of ransomware incidents around the world, but ransomware criminals are always looking for new ways to make attacks more effective – and apparently they’re testing a new strategy using malware that destroys data.
The data destruction is linked to Exmatter, a .NET exfiltration tool previously used in BlackMatter ransomware attacks. It is widely believed that BlackCat is a rebrand of BlackMatter – which in turn was a rebrand of Darkside, the ransomware operation behind the Colonial Pipeline attack.
Previous ransomware attacks have used Exmatter to take specific file types from selected directories and upload them to attackers-controlled servers before executing the ransomware on compromised systems and encrypting the files – with attackers demanding payment for the key.
However, analysis of Exmatter’s new sample, which was used as part of a BlackCat attack, suggests that the exfiltration tool is used instead of encrypting files to corrupt and destroy files.
Likewise: These are tomorrow’s cybersecurity threats to think about today
There are several reasons why cyber criminals might experiment with this new tactic. First, the threat of destroying data instead of encrypting it could provide an additional incentive for attack victims to pay.
“The elimination of the step of encrypting the data speeds up the process and eliminates the risk of not receiving the full payout or that the victim will find other ways to decrypt the data,” the Cyderes researchers warn.
Also, destructive malware is less complex to develop than ransomware to develop, so deploying data-destruction attacks could take fewer resources and time, and provide attackers with greater profits.
“Creating stable, robust ransomware is a far more development-intensive process than creating malware designed to corrupt the files instead, renting a large server to receive exfiltrated files and paying them back for them,” said Daniel Mayer , threat researcher at Stairwell.
“Extortion actors will likely continue to experiment with data exfiltration and destruction as their prevalence increases,” Mayer added.
Ransomware and malware attacks can be extremely damaging, but there are steps organizations can take to make their networks more resilient and secure against attacks.
This includes timely application of security patches and updates to prevent hackers from exploiting known vulnerabilities to launch attacks, as well as ensuring multi-factor authentication is rolled out across the network to protect users.