The fallout from the DarkSide ransomware attack on Colonial Pipeline on May 7 caused apparent disruption in parts of the ransomware ecosystem. Several ransomware operators, including GOLD WATERFALL, the group behind DarkSide, announced suspensions or changes to its affiliate operations. Some underground forums, including RaidForums, banned discussion and promotion of ransomware.
However, for network defenders, the most significant event in ransomware this year may have nothing to do with Colonial Pipeline at all. At the end of April, Babuk, the group behind the attack on the Washington D.C. Metropolitan Police Department (MPD), announced that it intended to stop encrypting the files of its victims and instead will focus only on data theft and extortion.
On April 26, Babuk published a post on its leak site stating that it had stolen over 250 gigabytes of data from the Washington MPD. It claimed to have accessed the police system using a zero-day vulnerability in a VPN. Negotiations over a possible $4 million ransom failed and Babuk leaked some, then apparently all the data.
On April 30 it announced that it was switching to data theft-only attacks. Two weeks later, another Babuk announcement boasted of the development of “something really cool, a huge platform for independent leaks.” This would be open to other threat actors to post data leaks. In between those two announcements it continued to add victims to its leak site, including companies in Japan, U.S., and Italy. At the end of May, it rebranded as Payload Bin, keeping the same Tor address for its site.
Moving away from attacks that encrypt victim files has clear benefits for attackers. Overheads associated with decrypting their victims’ files disappear. So do those of tool development and maintenance, items that may have previously caused Babuk problems. In April, Babuk was thought to have had difficulties with its Linux ransomware that caused it to rename rather than encrypt files on VMware virtualization platform ESXi servers. Using the decryptor software then destroyed the file. Issues like this clearly reduce the motivation of victims to pay the ransom demanded. Focusing on data theft only might mean less revenue, but it also requires a lot less effort.
At first sight, it also appears positive for victims. Full business disruption seems less likely and consequential costs are potentially much lower. But it could make life harder for network defenders. Ransomware deployments typically require a dwell time ranging from days to months for the threat group to position the ransomware for maximum effect. This dwell time presents an opportunity for behavioral and indicator detection. Compared to ransomware deployment, exfiltration likely requires a shorter dwell time, less lateral movement, and the use of fewer tools. The short dwell time provides a much shorter window for detection.
Babuk has not been the first ransomware operator to go down the data-theft-only route. The operator of Clop ransomware, GOLD TAHOE, did it too in late 2020 and early 2021 when it exploited a vulnerability in the Accellion File Transfer Appliance (FTA) software to exfiltrate data and extort victims without deploying ransomware.
It’s hard to know how seriously to take Babuk’s announcements. In the days before it publicly disclosed this change in strategy, it conducted a somewhat bombastic interview with Polish publication Sekurak in which it promised “a massive attack on the largest IT companies,” then declared it was closing the Babuk project entirely and would make its source code publicly available, and then immediately retracted that announcement. Its latest moves may simply be knee jerk reactions to its unsuccessful run-in with the Washington MPD.
It’s also currently unclear how financially viable data theft alone is for criminals. Faced with no longer losing data availability, will organizations still feel as compelled to pay up to stop data leaks, especially those in countries not bound by stringent data protection regulation?
These changes are not the last ones in the ransomware ecosystem, with its long history of operators shifting their practices to optimize their gains. Many of these changes won’t stick either. Within weeks of the ban on forum postings about ransomware, the operator behind Avaddon ransomware, one of the most active ransomware gangs at present, was seen advertising on one such forum for pen testers. That’s good for the cybersecurity industry, who use these forums to monitor gangs and gather intelligence to protect their clients.
While any disruption to the rising levels of ransomware activity is positive, financially-motivated cybercriminals are not going to disappear. By focusing on detecting unauthorized access, persistence mechanisms, and lateral movement associated with ransomware threat groups earlier in the attack lifecycle, organizations can go a long way towards protecting themselves against this current shift in criminal tactics.
Jane Adams, information security research consultant, Secureworks