Skip links

Ransomware crews investing in custom data stealing malware

As ransomware crews increasingly shift beyond just encrypting victims’ files and demanding a payment to unlock them, instead swiping sensitive info straight away, some of the more mature crime organizations are developing custom malware for their data theft.

In a report published on Wednesday by Cisco Talos, the threat intelligence unit reviewed the top 14 ransomware groups and analyzed their tactics, techniques and procedures (TTPs). Talos selected the 14 based on volume and impact of attacks and “atypical threat actor behavior,” using data from the criminals’ leak sites, internal tracking, and other open-source reporting.

The 14, listed here by number of victims on their respective shaming sites, are the ones you’d likely expect: LockBit, ALPHV, Play, 8base, BlackBasta, BianLian, CLOP, Cactus, Medusa, Royal/Blacksuit, Rhysida, Hunters International, Akira, and Trigona. 

“Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology,” the report’s authors note

“The diversification highlights a shift toward more boutique targeted cybercriminal activities, as groups such as Hunters International, Cactus and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves,” they add.

Plus, as many gangs shift to double-extortion tactics, as we’ve seen in the recent high-profile attacks against the London hospitals’ pathology services provider Synnovis and Christie’s auction house, among others, some more established ransomware-as-a-service operations are developing bespoke malware for data exfiltration, according to Talos.

Using this type of tactic, the crooks will first break into their victims’ network, snoop around and steal valuable files, and only then encrypt the data on the network. Generally, they also post the victims’ names on their leak sites, extort (or at least attempt to extort) the organizations for massive sums of money, and then if and when negotiations break down, the criminals will leak a sample of the stolen data to further turn up the pressure on victims to pay the ransom demand.

BlackByte and LockBit are among these more mature ransomware-as-a-service crews offering custom built data-exfiltration tools to their affiliates.

“BlackByte’s custom Exbyte exfiltration tool targets Windows hosts written in the Go programming language and facilitates the transfer of stolen files to an external server, or cloud storage services,” James Nutland, information security analyst at Cisco Talos, told The Register.

Exbyte is used by BlackByte actors and incorporates various evasion techniques to avoid detection by security tools, such as testing whether it is being run in a sandboxed environment,” he added.

Meanwhile LockBit, prior to being dismantled by international cops in February, had it’s own proprietary StealBit malware

“StealBit was created to maximize the overall efficiency of data exfiltration activities for LockBit affiliates, shortening the timespan of data theft,” Nutland said. “The tool operates similarly to legitimate applications on a host, with a graphical user interface including the ability to drag and drop files of the actors choosing.”

Typically, the gangs follow a similar attack chain, starting with initial access and then establishing persistence in the victim’s environment. From there, they snoop around for valuable data and credentials to steal and use that access to move laterally and escalate privileges so they can burrow deeper into the network. Finally, they copy chosen data and then deploy the ransomware encryption code.

They tend to get initial access to the target network using a combination of social engineering, network scanning, and other research that’s publicly available to learn about their victims and how best to break into their systems.

The “most prolific” criminals on the scene prioritize “gaining initial access to targeted networks, with valid accounts being the most common mechanism,” according to the research, and one of the ways that crooks obtain these legitimate account credentials is by using infostealer malware. 

This was the case in the recent Snowflake customers’ data theft incidents — and it’s worth noting that these victim orgs did not have multi-factor authentication turned on. Other security shops have also highlighted an uptick in infostealer use among ransomware crews over the past year.

“Infostealers are a tool often leveraged by initial access brokers in collecting credentials and personal data of victims, which are then sold as credential dumps on the dark web,” Nutland said.

“These credentials provide ransomware affiliates, amongst other cybercriminals, with an easily obtainable potential source of access to targeted systems and networks, facilitating the initial compromise.” 

Another trend that Cisco Talos says echoes its earlier Year in Review report [PDF], is that ransomware crews “apply a significant focus to defense evasion tactics to increase dwell time in victim networks,” we’re told. These tactics include using tools to disable or modify antivirus or endpoint-detection, as well as operating system features intended to detect ransomware payloads. ®