BlackCat/ALPHV Gang doda funkcijo Wiper kot taktiko izsiljevalske programske opreme

Malware wielded by BlackCat/ALPHV is putting a new spin on the ransomware game by deleting and destroying an organization’s data rather than merely encrypting it. The development provides a glimpse of the direction in which financially motivated cyberattacks likely are heading, according to researchers.

Raziskovalci iz varnostnih podjetij Cyderes in Stairwell so opazili uporabo orodja za izločanje .NET v zvezi z izsiljevalsko programsko opremo BlackCat/ALPHV, imenovano Exmatter, ki išče določene vrste datotek iz izbranih imenikov, jih naloži na strežnike, ki jih nadzorujejo napadalci, ter nato poškoduje in uniči datoteke. . Edini način za pridobitev podatkov je nakup eksfiltriranih datotek nazaj od tolpe.

“Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild,” according to a blog post nedavno objavljeno na spletni strani Cyderes. Exmatter bi lahko pomenil, da se menjava dogaja, kar dokazuje, da so akterji groženj aktivno v procesu uprizarjanja in razvoja takšne zmogljivosti, so povedali raziskovalci.

Cyderes researchers performed an initial assessment of Exmatter, then Stairwell’s Threat Research Team discovered “partially-implemented data destruction functionality” after analyzing the malware, according na spremno objavo v spletnem dnevniku.

“The use of data destruction by affiliate-level actors in lieu of ransomware-as-a-service (RaaS) deployment would mark a large shift in the data extortion landscape, and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs,” Stairwell threat researcher Daniel Mayer and Shelby Kaba, director of special operations at Cyderes, noted in the post.

Pojav te nove zmožnosti v Exmatterju je opomin na hitro razvijajočo se in vse bolj izpopolnjeno pokrajino groženj, ko se akterji groženj obračajo k iskanju bolj ustvarjalnih načinov za kriminalizacijo svoje dejavnosti, ugotavlja en varnostni strokovnjak.

“Contrary to popular belief, modern attacks are not always just about stealing data, but can be about destruction, disruption, data weaponization, disinformation, and/or propaganda,” Rajiv Pimplaskar, CEO of secure communications provider Dispersive Holdings, tells Dark Reading.

Te nenehno razvijajoče se grožnje zahtevajo, da morajo podjetja tudi izostriti svojo obrambo in uvesti napredne varnostne rešitve, ki utrdijo njihove napadalne površine in prikrijejo občutljive vire, zaradi česar bodo sploh težke tarče za napad, dodaja Pimplaskar.

Prejšnje vezi z BlackMatter

The researchers’ analysis of Exmatter is not the first time a tool of this name has been associated with BlackCat/ALPHV. That group — believed to be run by former members of various ransomware gangs, including those from now-defunct BlackMatter — uporabil Exmatter za izločanje podatkov iz korporativnih žrtev lani decembra in januarja, preden je uporabil izsiljevalsko programsko opremo v dvojnem izsiljevalskem napadu, so raziskovalci družbe Kaspersky poročali prej.

Pravzaprav je Kaspersky uporabil Exmatter, znan tudi kot Fendr, da bi povezal dejavnost BlackCat/ALPHV z aktivnostjo BlackMatter v grožnji, ki je izšla v začetku tega leta.

The sample of Exmatter that Stairwell and Cyderes researchers examined is a .NET executable designed for data exfiltration using FTP, SFTP, and webDAV protocols, and contains functionality for corrupting the files on disk that have been exfiltrated, Mayer explained. That aligns with BlackMatter’s tool of the same name.

Kako deluje Exmatter Destructor

Using a routine named “Sync,” the malware iterates through the drives on the victim machine, generating a queue of files of certain and specific file extensions for exfiltration, unless they are located in a directory specified in the malware’s hardcoded blocklist.

Exmatter lahko eksfiltrira datoteke v čakalni vrsti tako, da jih naloži na naslov IP, ki ga nadzoruje napadalec, je dejal Mayer.

“The exfiltrated files are written to a folder with the same name as the victim machine’s hostname on the actor-controlled server,” he explained in the post.

The data-destruction process lies within a class defined within the sample named “Eraser” that is designed to execute concurrently with Sync, researchers said. As Sync uploads files to the actor-controlled server, it adds files that have been successfully copied to the remote server to a queue of files to be processed by Eraser, Mayer explained.

Eraser selects two files randomly from the queue and overwrites File 1 with a chunk of code that’s taken from the beginning of the second file, a corruption technique that may be intended as an evasion tactic, he noted.

“The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers,” Mayer wrote, “as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them.” Mayer wrote.

Delo v teku

There are a number of clues to indicate that Exmatter’s data-corruption technique is a work in progress and thus still being developed by the ransomware group, the researchers noted.

En artefakt v vzorcu, ki kaže na to, je dejstvo, da je dolžina kosa druge datoteke, ki se uporablja za prepisovanje prve datoteke, določena naključno in je lahko dolga le 1 bajt.

Postopek uničenja podatkov prav tako nima mehanizma za odstranjevanje datotek iz čakalne vrste za poškodovanje, kar pomeni, da so lahko nekatere datoteke večkrat prepisane, preden se program zaključi, medtem ko druge morda sploh niso bile izbrane, so opozorili raziskovalci.

Moreover, the function that creates the instance of the Eraser class — aptly named “Erase” — does not appear to be fully implemented in the sample that researchers analyzed, as it does not decompile correctly, they said.

Zakaj uničenje namesto šifriranja?

Razvoju zmožnosti poškodovanja in uničenja podatkov Namesto šifriranja podatkov ima številne prednosti za akterje izsiljevalske programske opreme, so ugotovili raziskovalci, zlasti ker je izrivanje podatkov in dvojno izsiljevanje (tj. grožnja z uhajanjem ukradenih podatkov) postalo precej običajno vedenje akterjev groženj. Zaradi tega je razvoj stabilne, varne in hitre izsiljevalske programske opreme za šifriranje datotek postal odvečen in drag v primerjavi s poškodovanjem datotek in uporabo eksfiltriranih kopij kot sredstva za obnovitev podatkov, so povedali.

Popolna odprava šifriranja lahko tudi pospeši proces za podružnice RaaS, s čimer se izognejo scenarijem, v katerih izgubijo dobiček, ker žrtve najdejo druge načine za dešifriranje podatkov, so opozorili raziskovalci.

“These factors culminate in a justifiable case for affiliates leaving the RaaS model to strike out on their own,” Mayer observed, “replacing development-heavy ransomware with data destruction.”