Signs of a new data extortion technique show threat actors may leverage Exmatter to destroy, rather than encrypt data, which could create delays in care delivery and data recovery
The healthcare sector has been an increasingly popular target for ransomware groups, as they are more likely to pay a ransom quickly in order to restore networks, services, and care delivery.
According to data from Cyber Risk Analytics (CRA), the healthcare sector was the second most impacted sector by data breaches last year.
This underlines how important it is for the industry to be aware of – and prepared for – the evolving tactics of threat actors.
Familiar Tool, New Tactic
One such evolution is data destruction, which was long rumored to be where ransomware was headed but had not been seen in the wild – until recently.
During an incident response in September, Cyderes Special Operations and Stairwell Threat Research teams found signs that threat actors were actively in the process of staging and developing this exceptionally aggressive capability – marking a significant shift in the data extortion landscape, and a development that should be particularly concerning to the healthcare sector.
The sample of malware recently discovered is designed to destroy data outright, rather than encrypt it. It behaves similarly to previously reported uses of an exfiltration tool called Exmatter, and was observed in conjunction with ransomware allegedly run by affiliates of numerous ransomware groups, including Blackmatter.
Exmatter is designed to take specific file types from selected victim directories and upload them to attacker-controlled servers before the ransomware itself is executed on the compromised systems. In this particular sample, the attacker attempts to corrupt files within the victim’s environment, rather than encrypting them, and stages the files for destruction.
Why Destroy Data Rather Than Encrypt It?
Using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers. Opening files on a computer and overwriting them with random data or encrypting them is suspicious – it looks like ransomware. But opening one file and copying its contents to another is a much more benign operation, and thus harder to detect.
Furthermore, eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full ransomware payout or that the victim will find other ways to decrypt the data.
The Healthcare Sector Needs to Take Note
Analysis of the sample indicates that the development of Exmatter is ongoing and that threat actors are likely to continue experimenting with data exfiltration and destruction.
For the healthcare sector, this potential shift in the ransomware landscape could spell disaster. If a threat actor is able to destroy a patient’s health information rather than encrypt it, for example, it would have drastic consequences, including the victim organization’s liability for violating HIPAA and other privacy regulations and, worse, a critical threat to the lives of the patients whose vital diagnostic and treatment information has disappeared without a trace.
The vast majority of health systems have backup and disaster recovery programs in place, but according to many industry surveys, including HIMSS, many have not tested them recently, or ever. Several public breaches and the After Action Report (AAR) have focused on the time it takes to transfer terabytes of data back into their systems or cloud providers. This will cause downtime procedures for clinical staff and delays in billing/charting processes, even if the data is properly restored.
The potential impact of this new threat is indeed great, and reinforces the need for organizations to focus on detection, response, and recovery:
- Ensure you have a backup plan in place – most importantly, make sure your organization does a full test either in a lab setting, or with one of your Disaster Recovery (DR) partners to avoid any delays.
- Create unique credentials (non-domain credentials) for cloud backup system administration with high complexity and backed by multi-factor authentication.
- Configure cloud backup systems to create “immutable” backups or store offline backups at a secure location.
- Have an incident response plan in place and test it with a series of tabletop exercises at the technical level, business process owner level, and executive level.
- Complete a business impact analysis of systems and establish recovery tiers, reserving tier zero for infrastructure.
- Add provisions to continuity of operations (continuity of care or business continuity plans) for a worst-case scenario, return to paper methods and establish impact for duration of use for such methods.
To learn more about why threat actors are experimenting with this new technique, and what it means for the broader threat landscape, watch this executive panel with leaders from Cyderes and Stairwell.