Ransomware hackers are experimenting with a new kind of attack that, instead of encrypting data, outright destroys it. The aim is to make it impossible for victims to retrieve their data if they don't pay the ransom.
This would be dangerous for ransomware victims because while it's often possible to retrieve encrypted files without paying a ransom, the threat of servers being completely corrupted if extortion demands aren't met could push more victims towards giving in.
The indicators of a potential new tactic were discovered when cybersecurity analysts responded to a BlackCat – also known as ALPHV – ransomware attack.
BlackCat has been responsible for a string of ransomware incidents around the world, but ransomware criminals are always looking for new ways to make attacks more effective – and it appears they're testing a new strategy with malware that destroys data.
In previous ransomware attacks, Exmatter has been used to take specific file types from selected directories and upload them to attacker-controlled servers before the ransomware is executed on the compromised systems and the files are encrypted – with the attackers demanding payment for the key.
However, analysis of the new sample of Exmatter used as part of a BlackCat attack suggests that, instead of encrypting files, the exfiltration tool is instead used to corrupt and destroy files.
There are several reasons why cyber criminals might be experimenting with this new tactic. First, the threat of destroying data rather than encrypting it could provide an extra incentive for victims of attacks to pay up.
"Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data," warn researchers at Cyderes.
Also, developing destructive malware is less complex than designing ransomware – therefore, using data destruction attacks could take less resources and time, providing attackers with greater profits.
"Creating stable, robust ransomware is a far more development-intensive process than creating malware designed to corrupt the files instead, renting a large server to receive exfiltrated files and returning them upon payment," said Daniel Mayer, threat researcher at Stairwell.
"Extortion actors are likely to continue experimenting with data exfiltration and destruction with increasing prevalence," Mayer added.