encrypting is time-consuming and error-prone – that’s what cybercrime gangs, who make previously copied data unusable, think.
As early as 2021, the so-called triple blackmail was established in cybercrime incidents: the victims pay for the key that makes their data readable again, for the insurance that internal documents will not be published – and if that is not enough, it hails DDoS attacks. However, encryption is time-consuming and error-prone. That is why some gangs do without it and only rely on theft with the threat of publication. And the first ransomware now also contains an “erase” function, which is also intended to make the data unusable.
There have already been incidents in which it turned out that the alleged ransomware had irretrievably destroyed the data; but such wipers are used in targeted acts of sabotage. Cybercrime gangs usually make sure that they actually have an option to restore the data – if only to keep the willingness to pay high. Wanton destruction would be “bad for business”; the fact that saving the data does not always work is another matter.
Encrypt as default
The method of choice is to overwrite the files with an encrypted version. The data can then only be restored with a special cryptographic key, which the victim has to pay for. But cryptography is difficult; In many cases, security researchers have already managed to recover data without releasing the keys due to errors in the ransomware, and the criminals have been left in the dark. In addition, encrypting large amounts of data takes a long time; it is quite possible that this process attracts attention due to suspicious write processes and high CPU load and the victim prevents the worst in time.
In order to reduce this risk, some groups only partially encrypt the data, with a choice between different optimization levels (intermittent encryption). Or they do without encryption altogether and only copy internal data. The BlackMatter gang uses a special tool called Exmatter to extract (“exfiltrate”) the victim’s data. Reverse-engineered by security firm Cyderes, it fostered a feature called
Erase() out in the open
This comes after the completion of the
Syncroutine that copies the files (via sftp) to an external gang server. thereby overwritten
Erase apparently parts of the file with data from other files, making them unusable. The reasoning is probably that the victims would rather pay a ransom to get the original files than solve the jigsaw puzzle of the jumbled data fragments.
The security specialists suspect that the criminals want to imitate “normal activities” by writing the victim’s real data in order to prevent security software from raising wiper or ransomware alarms. These delete functions are also the subject of current development, experts from Stairwell note in their blog post.
The cybercrime ecosystem
Ransomware is now being developed by a few specialized “ransomware-as-a-service” providers (RaaS). Their affiliates license the malware and other services, for which the RaaS gang retains part of the ransom money raised. The RaaS providers are in tough competition with each other. Apparently, this means that they continue to optimize their software in order to steal active affiliates away from the competition. The experiments with intermittent encryption and the destruction of data are visible effects of this competition. Future cases of blackmail will show whether this will really catch on.