While typical ransomware attacks can cause massive damage in the form of business disruption and data loss, there are also cases of atypical attacks that, despite calling themselves ransomware, do not involve data encryption.
These encryption-less attacks may involve malware that exfiltrates data and uses it to extort the victimized organization with public leaks or simply “scareware,” which is made to appear as ransomware by merely creating the illusion of encryption.
These attacks can still significantly impact the victims, and depending on the case, they may lead to financial loss and service outages.
Scareware posing as ransomware
Recently, researchers of the CYFIRMA team have discovered a new malware strain named ‘ALC Ransomware,’ which pretends to be ransomware but is actually scareware.
The malware does not encrypt files on the victim’s machine but instead disables the task manager, locks the screen, and displays a ransom note.
Disabling the task manager prevents the victim from firing up the Windows tool and terminating the malicious process. While this is more of an annoyance than a real threat, inexperienced users or surprised employees might find the situation believable.
The whole process is completed within a matter of seconds, which is a clear sign that no encryption takes place, however, if the attacked systems aren’t actively monitored by IT staff, this sign is easily missed.
The scareware informs the victim that they need to send 554 XMR (Monero), equivalent to approximately $85,000 USD, to the attacker’s wallet to get a working decryptor in return.
https://www.cyfirma.com/media/2023/03/alcransomware-6.jpg
An email address and Telegram are also provided for communications, while the victim is advised to contact the threat actor using their ID. CYFIRMA, however, found that the victim ID is always the same, as there’s no unique decryption key to derive from it anyway.
ALC ransomware is poorly crafted and may be in its early stages of development or created by low-tier cybercriminals who do not possess the skills to develop an actual data locker.
Despite that, ALC ransomware still has significant activity, enough to be caught on CYFIRMA’s radars, which reports that it targets Russia and its counterparts, causing substantial damage to the targeted organizations.
Encryption-less ransomware gangs
Several ransomware gangs also decide to skip the encryption step and go straight to the file-stealing and extortion part. Cybersecurity company Redacted reported recently that the BianLian ransomware gang that used to deploy a custom data locker on victim devices has now abandoned this strategy and focuses more on delivering more powerful extortion arguments to their victims.
Recently, we have also seen new ransomware operations like the SnapMC, analyzed by the NCCGroup, which focuses solely on stealing data from the networks of breached organizations and does not use a ransomware strain at all.
This has also given rise to extortion groups like Karakurt and RansomHouse, which do not employ any ransomware tools. Instead, they receive stolen data from affiliated network intruders and conduct extortion on the victimized organizations.
Ransomware attacks can be complicated or have a broad range of characteristics depending on the threat actor and the strain used (or not used). The best way to deal with their repercussions and mitigate their impact in the shortest time is to engage experts in the field like MonsterCloud.
MonsterCloud possesses the knowledge and expertise to identify encryption-less threats, uproot the malware remnants of the infection from breached systems, and have organizations return to regular operations quickly and confidently.
Sources:
https://www.cyfirma.com/outofband/alc-scareware-pretends-to-be-a-ransomware/
https://redacted.com/blog/bianlian-ransomware-gang-continues-to-evolve/
https://research.nccgroup.com/2021/10/11/snapmc-skips-ransomware-steals-data/
https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation
