Could Data Destruction + Exfiltration Replace Ransomware?

Slashdot reader storagedude writes: Ransomware groups have been busy improving their data exfiltration tools, and with good reason: As ransomware decryption fails to work most of the time, victims are more likely to pay a ransom to keep their stolen data from being publicly leaked.

But some security researchers think the trend suggests that ransomware groups may change their tactics entirely and abandon ransomware in favor of a combined approach of data destruction and exfiltration, stealing the data before destroying it and any backups, thus leaving the stolen copy of the data as the only hope for victims to recover their data. After all, if ransomware just destroys data anyway, why waste resources developing it?

“With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavor compared to corrupting files and using the exfiltrated copies as the means of data recovery,” Cyderes researchers wrote after analyzing an attack last month.

“Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data,” they added. “Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild. During a recent incident response, however, Cyderes and Stairwell discovered signs that threat actors are actively in the process of staging and developing this capability.”

That incident – involving BlackCat/ALPHV ransomware – turned up an exfiltration tool with hardcoded sftp credentials that was analyzed by Stairwell’s Threat Research Team, which found partially-implemented data destruction functionality.

“The use of data destruction by affiliate-level actors in lieu of RaaS deployment would mark a large shift in the data extortion landscape and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs,” the Stairwell researchers wrote.