Could Data Destruction + Exfiltration Replace Ransomware?

Slashdot reader storagedude writes: Ransomware groups have been busy improving their data exfiltration tools, and with good reason: As ransomware decryption fails to work most of the time, victims are more likely to pay a ransom to keep their stolen data from being publicly leaked.

But some security researchers think the trend suggests that ransomware groups may change their tactics entirely and abandon ransomware in favor of a combined approach of data destruction and exfiltration, stealing the data before destroying it and any backups, thus leaving the stolen copy of the data as the only hope for victims to recover their data. After all, if ransomware just destroys data anyway, why waste resources developing it?

"With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavor compared to corrupting files and using the exfiltrated copies as the means of data recovery," Cyderes researchers wrote after analyzing an attack last month.

"Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data," they added. "Data destruction is rumored to be where ransomware is going to go, but we haven't actually seen it in the wild. During a recent incident response, however, Cyderes and Stairwell discovered signs that threat actors are actively in the process of staging and developing this capability."

That incident – involving BlackCat/ALPHV ransomware – turned up an exfiltration tool with hardcoded sftp credentials that was analyzed by Stairwell's Threat Research Team, which found partially-implemented data destruction functionality.

"The use of data destruction by affiliate-level actors in lieu of RaaS deployment would mark a large shift in the data extortion landscape and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs," the Stairwell researchers wrote.

Two words: Good backups

[davidwr]

'Nuff said.

Re: Two words: Good backups

[kopecn]

Buy Druva.

Two more precise words

[DontBeAMoran]

Offline backups.

Re:

[Opportunist]

The cynic in me would say that this is pretty much the service those criminals provide now. You can even restore it quite easily from sites like Mega and Pastebin.

Re:

[ZombieCatInABox]

And how will "good backups" prevent criminals from stealing your data and threatening to leak it online ?

Re: Two words: Good backups

[leptons]

Another reason why I'm happy I finally got an LTO tape drive for backups. Every tape cartridge has a write-protect switch. Maybe there's a way to hack the tape drive firmware,but I have two copies of the tapes. I feel reasonably safe from these attacls.

Re:

[Midnight_Falcon]

Are you nuts? There is no technical reason an LTO tape drive is superior in any way to hard disks at this point. You can get a SAN for backup purposes and configure it to create snapshots of the backups. You can further alternate to diff cages that cycle out etc, much easier than cycling LTO disks or relying on machine cycling.

Not sure what vendor sold you on LTO in 2022, but if I was the CIO, I'd fire whoever bought this with a cannon.

Re: Two words: Good backups

[ctilsie242]

LTO is archive grade. I can take a LTO tape, toss it on a shelf, and in 3-5 years, read from it. SANs are for always-on storage, and the cost to keep stuff on them is a lot more. Yes, one can use something like RDX which is a disk pretending to be a tape, but it still has the same issues as magnetic disk storage, which is designed for accessibility and areal density, as opposed to long term data retention.

Of course, optical has everything beat... provided your stuff fits on one M-DISC media. It would be nice to see some research done on the optical front, for something past BDXL for long term, WORM storage capabilities.

Of course, LTO brings one thing that SANs/NAS models don't have. True WORM media. Yes, some arrays have SmartLock (like EMC Isilons), but if one SSH-es into the BSD core, they can get to the console and nuke data that way. Nuking data on a LTO WORM tape takes physical access.

If a company has 1-2 PB of data, the scales start to tilt heavily in the favor of going with tape over cloud, even with providers like Wasabi or Backblaze B2. Mainly because on an enterprise level, LTO libraries are not expensive. $10-20k gets you something that can get you 200+ TB native capacity, and enterprise tier speeds, be it via FC or SAS. Plus, if you use a D2D2T system, you can have the data that is hitting tape already be compressed and deduplicated, so storage is even higher.

Of course, LTO-4 and newer have AES-256 encryption built into the drives via SPIN/SPOUT. Set a passphrase, make sure it is stored somewhere secure, yet accessible, and pretty much forget about it. If a tape goes missing, it is just a hardware loss, not a major breach.

People think tape has gone the way of the dodo. Ironically, I'm seeing more companies move to tape over cloud, just because there is a point where it is more expensive to shell out the OpEx costs at a cloud provider than it is to just have a tape library on site, and have some offsite van cycle tapes. Yes, there are more offsite secure providers than Iron Mountain (although IM is really good), and some are a lot cheaper, but yet provide excellent, audited physical storage of data.

Tape is a tool/media. Don't scoff at it. For a small business that has a few terabytes, using Wasabi might be the best thing. However, when things go to PB levels, tape gets and retains the edge.

Re:

[Joreallean]

Never under estimate the bandwidth of a station wagon filled with tapes.

Re:

[JasterBobaMereel]

...and always remember the current largest user of tape backup is Google ....

Re:

[leptons]

At $10 per 1.5TB tape (LTO 5), it's still a lot cheaper than hard drives. And it has built-in encryption, and it's a bit more robust than a hard disk. What happens if you plug in a hard disk into a system you don't realize is compromised? Anything can happen. If I put a write-protected tape into my system and it's compromised and I don't know it, not much can happen to the tape to destroy my data.

I have many, many terabytes to back up, and disks would be more expensive, less reliable, and not as secure.

Ways to solve this

[xack]

First of all is to get more accountabillity for software vulnerabilities and to make companies be required to patch their systems properly and make offsite backups airgapped away from their main computers so ransomware can't destroy them. Also if Microsoft is not willing to patch Windows 7 (where most infections occur) then they should pay for hardware and software replacement so less vulnerable systems are around. Then crypto exchanges should be shut down if they are laundering ransomware funds. Economic i

Re:

[Opportunist]

Excuse me, but if you use insecure, outdated and out of service equipment, should the manufacturer be responsible for it? Do you seriously expect Ford to build you some spare parts for your 1957 Edsel?

Especially since if you really, really insist in using Windows as your OS, it wasn't like they tried to keep you from upgrading to the new version...

Re:

[LainTouko]

One problem is that Microsoft has quite deliberately made WIndows 10 a downgrade for many people. To me, Windows 10 is an operating system which cannot be trusted with internet access. Which makes it clearly inferior to earlier versions of Windows.

Also, it would be completely out of line for Ford to prevent people making spare parts for your 1957 Edsel. Like Microsoft does with their source code secrecy and copyright exploitation. If they sell code with security problems, okay, we know that's inevitable, bu

Re:

[Opportunist]

All the things that make Win10 insecure have been faithfully backported to Win7, so that can't be used anymore either.

Seems stupid.

[sims 2]

It costs a lot more to transfer and store data than it does some encryption keys, that's just the problems on the attackers side.

On the victims side they still have to deal with people having shitty asynchronous internet connections.

Like if you wanted to run off with the data from my machine at work over the shitty 10Mbps upload it'd take over 23 days.

Meanwhile you could encrypt the whole thing in a matter of hours.

Re:

[fuzzyfuzzyfungus]

It's also a lot trickier to hide. The people with garbage internet connections probably have essentially zero monitoring(though it's not inconceivable that consumer/small-business ISPs might end up getting involved in flagging very irregular activity if it were to become common); and the better the network connection the more likely it is that there is some sort of monitoring in place, at least some fairly lightweight performance/reliability focused stuff that will probably be perturbed by unexpected conges

Re:

[pusoozer]

Easier to just lie about the exfiltration, and destroy the data. Hope springs eternal, and some payments will be made.

Re:

[gweihir]

Easier to just lie about the exfiltration, and destroy the data. Hope springs eternal, and some payments will be made.

Pretty hard to do successfully if there is standard monitoring on the Internet connection.

Re:

[jabuzz]

Really, pray tell me how I am supposed to determine if there is data exfiltration on our HPC system? Users move large quantities of data in and out of the system as a matter of course.

Re:

[gweihir]

Exactly. And that is why ransomware was invented. Data exfiltration has been done before but it is slow and blatantly obvious to an IDS system. I guess this is a sign of people slowly becoming better prepared to deal with this threat. Good.

Destruction + Exfiltration

[Dan East]

I think they have that backwards, or there isn't anything to exfiltrate.

Re:

[PPH]

Top secret: Burn before reading.

A two pronged defense

[mark-t]

1. Use incremental backups do that you can roll back to any previous point

2. Don't store any data that might be confidential such as user names, payment methods or details, or other contact information in plain text. Unless the attackers also have the source code to your system, they will have no way to decrypt any days they have in a way that it might be valuable to anyone else.

Re:

[gweihir]

Sounds good, but is infeasible in practice. Basically no application is set up these days to work with encrypted data. This may change when crypto-wiping becomes the standard, but that will still take time.

Re:

[mark-t]

Translation: "Oh noes, practicing good security is hard. We should all just give up and let the bad guys win until somebody else figures out a solution for us"

Re:

[Orgasmatron]

You laugh, but I've read a number of lengthy memos that say exactly this. The first time I can across one, I called it the "security-is-hard letter" for years while I was recommending all potential customers avoid that vendor.

I'm involved in a world where dozens of similar entities need software that is very specific to their needs and has no other market. It is all developed on contract by vendors, managed by consortiums of these entities. A typical project cost is in the single digit millions of dollar

Doesn't sound viable

[Anonymous Coward]

Ransomware: We've locally encrypted your files but not copied them (and you can probably check this via your network traffic data). Give us some crypto and we'll give you a key to run a decryptor locally, and decrypt your files pretty quickly. You could be back up and running in hours.

This thing: We've copied all your many GB of data to a remote server, and deleted the local copies (this would probably take a lot of time and data transfer so you can easily find out if we're lying). Anyhow, give us some cryp

The problem is the absence of leverage

[Voyager529]

If an attacker encrypts data, then paying the ransom can have a business use case: the business doesn't run without its data, and backup restoration can take a while.

If an attacker threatens to publicly release data that the business still has access to, then paying is illogical: the business operations are unaffected, and paying the ransom gives no guarantee that the data won't be released anyway. With no real guarantees, and conversely no clear indications that the released data would be harmful, it may e

Re:

[Opportunist]

At any rate, you could destroy their business by saying that you won't pay, but you will certainly publicly announce that you did if they publish the data.

Old chess player's gambit: If you cannot protect your queen and you know that it is lost, try to take the other one's queen in return.

Custom filesystem

[PPH]

And a few honeypot files. When the file system detects an attempt to read any of these special files, it slows down to a few bytes per second (or whatever will keep an application from timing out) and raises an alarm that an attack is in progress. This will work for both exfiltration and ransomware apps. But while the exfiltration app is (slowly) fetching data, the network admins might be able to track where the packets are going.

Offline or WORM backups

[gweihir]

I currently tell my regulated audit customers they are non-compliant without it (because it is the state-of-the-art) and all other that they need it or they will face a catastrophe at some time. Most have it or will have it very soon. And then "data destruction" becomes a non-issue. As to "exfiltration", one reason for encryption in place is that exfiltration is actually blatantly obvious and may well get detected by an IDS.

Re:

[splutty]

If your backups can be remotely overwritten/deleted/modified, then you're doing something really really wrong in the first place.

So good on ya telling people to stop doing that.

Re:

[gweihir]

If your backups can be remotely overwritten/deleted/modified, then you're doing something really really wrong in the first place.

Many people use regular cloud storage and fileservers for "backup". No write-protection there...

Re:

[Bourdain]

I'm no expert on this but I know at least dropbox has versioning so one could just roll back to a state of one's data at a given point in time

Further, I believe at least some of these services have some analytic services to identify when data is being likely destroyed or encrypted

Re:

[gweihir]

If you try to make sure this threat is addressed, you usually find something that works. "Dropbox" is not really the level we are talking about here, but, for example, you can get cloud storage with WORM properties. The problem is too many people completely overlook the problem or ignore it.

How does this work?

[joe_frisch]

"Hello, I've wiped your data but I have a backup copy I'll send you in return for X$ in bitcoin".

"OK you win, here is X$ in bitcoin".

....crickets

Why would the criminals actually bother even exfiltrating the data, beyond a tiny bit to be able to claim that they had. Why would they send it back? Its not like this is going to be an ongoing customer relationship, or they are in breech of contract or something.

Anyone remember NotPetYa?

[ctilsie242]

It is only a matter of time before data destruction starts becoming mainstream... mainly because it already has reared its ugly head before, especially with cyber attacks against the Ukraine. It would not be surprising in the least that data exfiltration followed by a "rm -rf /" comes next, just because companies likely have played the "security is no ROI" game, and don't have anything in place to protect against that, so if someone nuked their data, they would happily pay to restore from a "backup". Well

Encryption as SOP

[Rick Schumann]

If that's where this is going then organizations that have sensitive data to be stolen should just encrypt that data to start with, so even if criminals steal and destroy it on that organizations systems, they won't be able to do anything with it, thus making the threat of exposing the data utterly toothless.

Re:

[storagedude]

Really good point.