Data shredder discovered in ransomware 

7 October 2022
| No comments
B2B Cyber ​​Security ShortNews

Share post

Recently, an expert analyzed ransomware attributed to the BlackCat or ALPHV group. In addition to interesting SFTP functions, an implemented data destruction function was also discovered there. Could this be a clue to the future of data extortion?

With ransomware-as-a-service (RaaS) and data leaks (DLS), the data extortion landscape is constantly seeing new innovations from threat actors, as well as acronyms from the security firms that track them. In this joint report, Cyderes and Stairwell examine evidence of a new tactic found in a BlackCat/ALPHV participant's exfiltration tool discovered during an investigation by Cyderes.

Ransomware investigation in detail

After an incident at Cyderes, the team found and analyzed the tool in the context of a BlackCat/ALPHV ransomware investigation. Cyderes performed an initial assessment and realized that the tool is an exfiltration tool with hard-coded SFTP credentials. Cyderes then used Stairwell's inception tool for additional analysis.

The sample was also sent to Stairwell's Threat Research Team, where analysis revealed a partially implemented data destruction feature. The use of data destruction by affiliate-level actors instead of deploying RaaS would mark a major shift in the data extortion landscape and signal the balkanization of financially-motivated intrusion actors currently operating under the banners of RaaS affiliate programs. Maybe this could be a new level of ransomware blackmail.

Tool is also used by BlackMatter

The examined sample is an executable .NET file designed for data exfiltration using FTP, SFTP and WebDAV protocols and includes functionality to corrupt the files on disk that have been exfiltrated. The exfiltration behavior of this sample closely matches previous reports from Exmatter, a .NET exfiltration tool used by at least one subsidiary of the BlackMatter ransomware group. The sample was observed by Cyderes in connection with the deployment of BlackCat/ALPHV ransomware, which is allegedly operated by affiliates of numerous ransomware groups, including BlackMatter. A further technical examination of the Stairwell sample is available on his website.

More at Staiwell.com

 

Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

Short news
, , , , ,