Malware wielded by BlackCat/ALPHV is putting a new spin on the ransomware game by deleting and destroying an organization's data rather than merely encrypting it. The development provides a glimpse of the direction in which financially motivated cyberattacks likely are heading, according to researchers.
Researchers from security firms Cyderes and Stairwell have observed a .NET exfiltration tool being deployed in relation to BlackCat/ALPHV ransomware called Exmatter that searches for specific file types from selected directories, uploads them to attacker-controlled servers, and then corrupts and destroy the files. The only way to retrieve the data is by purchasing the exfiltrated files back from the gang.
"Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild," according to a blog post published recently on the Cyderes website. Exmatter could signify that the switch is happening, demonstrating that threat actors are actively in the process of staging and developing such capability, researchers said.
Cyderes researchers performed an initial assessment of Exmatter, then Stairwell's Threat Research Team discovered "partially-implemented data destruction functionality" after analyzing the malware, according to a companion blog post.
"The use of data destruction by affiliate-level actors in lieu of ransomware-as-a-service (RaaS) deployment would mark a large shift in the data extortion landscape, and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs," Stairwell threat researcher Daniel Mayer and Shelby Kaba, director of special operations at Cyderes, noted in the post.
The emergence of this new capability in Exmatter is a reminder of the rapidly evolving and increasingly sophisticated threat landscape as threat actors pivot to find more creative ways to criminalize their activity, notes one security expert.
"Contrary to popular belief, modern attacks are not always just about stealing data, but can be about destruction, disruption, data weaponization, disinformation, and/or propaganda," Rajiv Pimplaskar, CEO of secure communications provider Dispersive Holdings, tells Dark Reading.