24 Oct 2022 10:22
The operators of the BlackCat ransomware began to complement the attacks with a new malware that, instead of encrypting, outputs copies of files and imperceptibly, but hopelessly, corrupts the originals.
Corruption instead of encryption
Cyber ransomware has started using a new malware called Exmatter. To date, it is most often used in conjunction with the BlackCat/ALPHV encryptor. It is believed that this ransomware is used by numerous affiliates of various RaaS groups, including BlackMatter.
Exmatter (already the name of which hints at a connection with BlackMatter) allows operators to steal files of specific types from compromised networks from specified directories before the ransomware itself is launched or the files are actually destroyed.
The sample, analyzed by experts from Cyderes and Stairwell, is equipped with a destructive module that tries to damage the contents of files, rather than encrypt them. That is, we are talking about the functionality of the viper.
As experts found out, after uploading files of interest to attackers to a remote server, a destructive function is launched: a randomly selected segment of each next file in the queue is copied to the buffer and written to the beginning of the previous file, overlapping the original content and thereby violating its integrity.
New cyber-extortion tool overwrites fragments of some files into others
Such an algorithm allows the malware to avoid reaction from security tools based on heuristic algorithms, which are determined by behavior of ransomware and wipers. In addition, copying data from one file to another also looks much more innocent than overwriting files with random data or encryption.
Reliable and practical
The experts noted that the development of a stable encryptor is a much more costly undertaking than the creation of a program that will damage files and offer previously extracted copies to restore them.
“It will also work much faster,” says Anastasia Melnikova, director of information security at SEQ. – Encryption takes more computing resources than banal data corruption, and besides, if sometimes errors in encryptors allow you to unlock files without paying a ransom, then in cases where files are damaged, there is nothing to decrypt. If the backup is not properly set up, one can only hope to get copies of the same files from the attackers and on their terms.
Experts from Cyderes and Stairwell point out that Exmatter’s destructive feature doesn’t appear to be complete yet. For example, a segment of a file that overwrites a fragment of another has arbitrary sizes – up to one byte; The mechanism for removing files from the “corruption” queue is not implemented, so some files can be damaged several times, while others remain intact.
However, Exmatter is an illustration of a new and more practical approach to cyber extortion, so it is possible that this method will be adopted by many groups.