Data extortion shift likely with updated Exmatter malware

Data corruption functionality has been added to the updated version of the Exmatter malware, which could signify a new tactic that could be leveraged by ransomware affiliates, reports BleepingComputer. "As files upload to the actor-controlled server, the files that have been successfully copied to the remote server are queued to be processed by a class named Eraser. A randomly sized segment starting at the beginning of the second file is read into a buffer and then written into the beginning of the first file, overwriting it and corrupting the file," said Cyderes researchers, who discovered the new Exmatter sample. Meanwhile, Stairwell Threat Research, which analyzed the sample, determined that the development of Exmatter's data destruction capabilities is still underway. The emergence of the data corruption feature may prompt a transition to ransomware attacks that are more profitable to affiliates, according to Cyderes. "Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data," Cyderes added.