Threat Actors Pivoting to Newer, Easier Methods

Threat Actors Pivoting to Newer, Easier Methods
<span class="bsf-rt-reading-time"><span class="bsf-rt-display-label" prefix="Reading Time"></span> <span class="bsf-rt-display-time" reading_time="2"></span> <span class="bsf-rt-display-postfix" postfix="mins"></span></span><!-- .bsf-rt-reading-time -->

According to multiple cybersecurity firms, Ransomware groups are shifting their methods and corrupting files, to make recovery from an attack even harder.

Symantec found that an affiliate of a known ransomware group had started to use a tool, Infostealer. Exbyte, which expedites the transfer of data from the victim's network to a different method of storage.

This process is known as exfiltration, or "the unauthorized transfer of information from an information system."

The tool then first checks to see if it has been deployed in a virtual machine, which would be used for analysis by security researchers. Once that is done, it begins to scrape all documents on the system and upload them to Mega cloud storage. This automated process also encodes the credentials used to create the Mega account.

Another cybersecurity group, Cyderes, has found a similar exfiltration tool that uploads the files to the attacker's server before corrupting the files on the victim's system, and ultimately overwriting and destroying them.

"The development of capabilities to corrupt exfiltrated files within the victim environment marks a shift in data ransom and extortion tactics," Cyderes wrote in a blog post.

Once the information is stolen, there really is no reason to encrypt it with ransomware. The inclusion of a destruction strategy signals that some threat actors no longer find the development and deployment of ransomware needed if they can move the files and corrupt the originals.

Before -- there may have been a chance that a decryption tool would work on ransomware, meaning the attackers might not have been able to get a full payout or any at all. Now, the chances of a decryption tool working are 0% since there are no files to decrypt.