Symantec researchers are warning that a BlackByte ransomware affiliate has begun using a custom data exfiltration tool, Infostealer.Exbyte, to steal data from victims’ networks as part of their attacks.
Still, as a recent breach of an Indian power company by a different ransomware group demonstrates, the extra effort of stealing data doesn’t always pay off for the attackers — even when it leads to embarrassing data leaks for the victim.
What may be most interesting in the ongoing development of exfiltration tools is that some ransomware groups may be about to change tactics entirely — more on that in a moment.
BlackByte Exfiltration Tool
The new BlackByte exfiltration tool performs a series of checks both to make sure it’s not running in a sandboxed environment and to monitor for antivirus tools – similar to BlackByte’s pattern of behavior. Exbyte then searches for document files (.txt, .doc, .pdf), and uploads them to an account on the MEGA cloud storage service.
The Symantec researchers noted that Exbyte follows in the footsteps of several other custom-developed data exfiltration tools, including Exmatter, Ryuk Stealer, and StealBit. “The fact that actors are now creating custom tools for use in BlackByte attacks suggests that it may be on the way to becoming one of the dominant ransomware threats,” they wrote.
See also: How to Recover From a Ransomware Attack
Exfiltration to Replace Ransomware Encryption?
Cyderes researchers said the evolution of exfiltration suggests that threat actors may eventually use data theft in place of encryption.
“With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavor compared to corrupting files and using the exfiltrated copies as the means of data recovery,” they wrote.
Ransomware affiliates have “lost out on profits from successful intrusions due to exploitable flaws in the ransomware deployed, as was the case with BlackMatter,” they added. “Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data.”
“Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild,” they noted. “During a recent incident response, however, Cyderes and Stairwell discovered signs that threat actors are actively in the process of staging and developing this capability.”
That incident – involving a BlackCat/ALPHV ransomware investigation – turned up an exfiltration tool with hardcoded sftp credentials that was analyzed by Stairwell’s Threat Research Team, which found partially-implemented data destruction functionality.
“The use of data destruction by affiliate-level actors in lieu of RaaS deployment would mark a large shift in the data extortion landscape and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs,” the Stairwell researchers wrote.
Exfiltration also adds a key tool to attackers’ arsenals – Rapid7 recently warned of the ongoing evolution of double extortion, in which ransomware is used both to hold the victim’s data for ransom and to demand additional money to prevent the public release of sensitive information.
The technique was pioneered, Rapid7 noted, by the Maze ransomware group. “Throughout most of 2020 Maze was the leader of the double extortion tactic among ransomware groups, accounting for 30% of the 94 reported cases of double extortion between April and December of 2020,” the researchers wrote.
As decryption fails most of the time, victims don’t have much incentive to pay for decryption keys, so preventing leaks becomes a more compelling incentive for companies to pay — and could lead to a completely new ransomware tactic.
Also read: How to Decrypt Ransomware Files – And What to Do When That Fails
When Extortion Fails and Data Leaks
The recent attack on India’s Tata Power by the Hive ransomware group is a vivid example of the extortion threat, though it appears that in this case, the attackers were unsuccessful in their extortion attempts.
In an October 14 stock filing [PDF], the company described the breach as “a cyber-attack on its IT infrastructure impacting some of its IT systems,” but didn’t mention ransomware or data exfiltration.
As the hackers began leaking the data earlier this week, security researcher Dominic Alvieri noted that the group claimed to have information on all of Tata Power’s bank accounts and recent balance details, and researcher Rakesh Krishnan separately posted four screenshots of leaked bank details, adding that employees’ personal information, engineering drawings, and client contracts were also leaked.