Threat Awareness – Ransomware Groups Attempting to Destroy Data Rather than Encrypt to Ensure Payouts

Last week, researchers began noticing at least one ransomware group attempting to “up” the data extortion game. Researchers at Cyderes and Stairwell observed a BlackCat/ALPHV sample attempting to corrupt files within the victim’s environment rather than encrypting them and then staging the files for destruction. The data destruction functionality is being linked to Exmatter, a tool that has previously been associated with BlackMatter. The researchers believe the tool is still in development, but if/when the rough spots are smoothed out this could prove even more challenging for victims who don’t have a robust and resilient data backup strategy, potentially leading to more payouts. As Danny Palmer (ZDNet) aptly puts it, “this would be dangerous for ransomware victims because while it’s often possible to retrieve encrypted files without paying a ransom, the threat of servers being completely corrupted if extortion demands aren’t met could push more victims towards giving in.” Furthermore, according to Cyderes, the technique being used to corrupt files is thought to potentially fly under the radar and avoid heuristic-based detection that’s successful against other ransomware and data wiper malware. Additionally, if done successfully, data destruction is less resource intensive and costly for the actors. This is a development to watch closely. Members are highly encouraged to leverage CISA’s StopRansomware page for resources to help increase resilience against ransomware. For more information, including behavioral indicators to monitor, visit Cyderes and Stairwell.