In recent months, the cybersecurity landscape has witnessed a significant evolution in ransomware attacks, with perpetrators deploying an increasingly diverse array of data-exfiltration tools.
Symantec’s latest findings reveal that attackers have utilized at least a dozen different tools for data exfiltration in the past three months alone.
This trend underscores a strategic shift towards leveraging malware and dual-use tools—legitimate software repurposed for malicious intent—to siphon data from victim organizations.
Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers
Malware analysis can be fast and simple. Just let us show you the way to:
- Interact with malware safely
- Set up virtual machine in Linux and all Windows OS versions
- Work in a team
- Get detailed reports with maximum data If you want to test all these features now with completely free access to the sandbox:
Double Extortion: A Growing Threat
According to the Symantec report, Ransomware operators have adopted a more aggressive tactic known as double extortion. By stealing sensitive data before encrypting the victim’s files, attackers can exert additional pressure on organizations to pay the ransom.
This approach not only complicates recovery efforts for the affected entities but also increases the potential for reputational damage and regulatory scrutiny.
The Expanding Toolkit
Among the tools favored by ransomware actors, Rclone remains the most commonly used for data exfiltration.
However, there is a noticeable rise in the use of remote administration and management tools like AnyDesk, ScreenConnect, and Atera.
- Rclone: An open-source cloud management tool, sometimes exploited by ransomware actors for data theft.
- AnyDesk: A remote desktop application that attackers use for unauthorized access, occasionally disguising it to avoid detection.
- RDP (Remote Desktop Protocol): Developed by Microsoft, this protocol enables remote control of computers. Attackers often enable it through registry modifications and firewall rule adjustments to gain malicious access.
- Cobalt Strike: A tool meant for penetration testing but commonly used by attackers for stealthy data exfiltration and establishing covert communications.
- ScreenConnect: Remote desktop software by ConnectWise for computer access.
- Atera: Remote monitoring software often utilized by attackers for network access.
- WinRAR and similar utilities: Used by attackers for file archiving in preparation for data exfiltration.
- Restic: An efficient and secure backup tool, exploited by ransomware groups like those using Noberus for data theft.
- TightVNC: Open-source remote desktop software.
- WinSCP: A legitimate FTP and SFTP client for Windows.
- Pandora RC: Commercial remote access tool, sometimes used maliciously for information theft and deploying additional tools.
- Chisel: An open-source proxy tool, abused in ransomware attacks for data tunneling to attacker-controlled sites.
- PowerShell: A Microsoft scripting tool, exploited for various malicious activities including data exfiltration through commands like Compress-Archive.
These tools offer a blend of functionality that appeals to attackers, including the ability to act as a backdoor into compromised systems.
Case Study: Rclone in Action
A notable instance of Rclone’s misuse occurred during a RagnarLocker ransomware attack in July 2023. Attackers deployed Rclone to transfer data from network shares to external storage solutions, demonstrating the tool’s versatility in facilitating large-scale data exfiltration.
The initial sign of malicious behavior was the execution of PowerShell commands to deactivate Local Security Authority (LSA) protection.
Following this, the attackers utilized SoftPerfect Network Scanner (netscan.exe), a widely accessible tool, for identifying host names and network services.
On the subsequent day, their operations continued with the deployment of Mimikatz and LaZagne for credential theft.
They then employed several native tools to collect system data, backup registry hives, run commands remotely across the network, and activate Remote Desktop Protocol (RDP) to enable external access.
Protection and Mitigation Strategies
In response to these evolving threats, Symantec emphasizes the importance of robust cybersecurity measures. Organizations are advised to monitor outbound traffic for anomalies, restrict the use of dual-use tools, and implement strong identity and access management practices.
Additionally, maintaining up-to-date software and employing endpoint detection and response (EDR) tools can significantly enhance an organization’s resilience against ransomware attacks.
The diversification of data-exfiltration tools in ransomware campaigns highlights the need for continuous vigilance and adaptive security strategies.
As attackers refine their techniques, organizations must prioritize the detection and mitigation of these threats to safeguard their data and maintain operational integrity.
Indicators of Compromise
SHA-256 hash | Description |
---|---|
d5e01c86dab89a0ecbf77c831e4ce7e0392bea12b0581929cace5e08bdd12196 | Rclone |
df69dc5c7f62c06b0a64c9b065c3cbe7d034af6ba14131f54678135c33806f3e | Rclone |
2cbe4368f75f785bf53cbc52b1b357d6281dc41adc1a1aa1870e905a7f07ed5e | Rclone |
e94901809ff7cc5168c1e857d4ac9cbb339ca1f6e21dcce95dfb8e28df799961 | Rclone |
9b5d1f6a94ce122671a5956b2016e879428c74964174739b68397b6384f6ee8b | Rclone |
aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9 | Rclone |
9bbc9784ce3c818a127debfe710ec6ce21e7c9dd0daf4e30b8506a6dba533db4 | Rclone |
64e0322e3bec6fb9fa730b7a14106e1e59fa186096f9a8d433a5324eb6853e01 | Rclone |
de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c | Rclone |
5cc2c563d89257964c4b446f54afe1e57bbee49315a9fc001ff5a6bcb6650393 | Rclone |
8a878d4c2dff7ae0ec4f20c9ddbbe40b1d6c801d07b9db04597e46b852ea2dc5 | Rclone |
6ad342fbfe679c66ecf31b7da1744cbf78c3dc9f4dbc61f255af28004e36a327 | Rclone |
8e21c680dab06488014abca81348067753be97fd0413def630701019dea00980 | Rclone |
f63ff9c6f31701c1dca42d47ca4d819645e8d47586cf375db170503ce92b777e | Rclone |
d6c1e30368d7ed406f0a6c6519287d589737989e8ff1297b296054b64b646b3f | Rclone |
109b03ffc45231e5a4c8805a10926492890f7b568f8a93abe1fa495b4bd42975 | AnyDesk |
7d531afcc1a918df73f63579ca8d1a5c8048d8ac77917674c6805f31c8c9890f | AnyDesk |
734f3577aa453fe8e89d6f351a382474a5dab97204aff1e194eee4e9fdff0a4a | AnyDesk |
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18 | AnyDesk |
e69f82a00ab0e15d2d5d9f539c70406cbfaffd2d473e09aab47036d96b6a1bc1 | AnyDesk |
5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371 | AnyDesk |
7bcff667ab676c8f4f434d14cfc7949e596ca42613c757752330e07c5ea2a453 | AnyDesk |
cd37a69b013336637a1ee722a6c7c8fd27439cf36ac8ed7e29374bbe4a29643e | AnyDesk |
8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383 | AnyDesk |
ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028 | AnyDesk |
bbbedd933ac156b476e1b3edb3e09501c604a79c4ff1a917df779a9f1bec5cca | AnyDesk |
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494 | AnyDesk |
355faa21f35d4a15c894445f09af97b2ad90604425b9a4b9076e293dbd4504ab | AnyDesk |
580f6a285c6c3b7238bd16e1aeb62a077ae44b5061a2162e9fd6383af59028bb | AnyDesk |
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6 | AnyDesk |
4de898c139fb5251479ca6f9ec044cac4d83a2f5d1113b7a4b8f13468a130c97 | AnyDesk |
d928708b944906e0a97f6a375eb9d85bc00de5cc217d59a2b60556a3a985df1e | AnyDesk |
cdb82be1b9dd6391ed068124cfdf2339d71dd70f6f76462a7e4a0fdadd5a208a | Cobalt Strike |
0242c29a20e19a4c19ff1e5cc7f28a8af3c13b6ec083d0569b3ba15a02c898b6 | Cobalt Strike |
9242846351a65655e93ed2aeaf36b535ff5b79ddf76c33d54089d9005a66265b | Cobalt Strike |
935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2 | Cobalt Strike |
8d6a398f97d734412de03340bbb8237d00c519479649af8933afb8fb4fa2f695 | Cobalt Strike |
837fa64038a1e46494b581020606c386fbd79898aab9f38f90df8cfa7d4599ec | Cobalt Strike |
3cc56d5b79877a8ee6d15f0109d1c59937d6555ae656924686cafeee36ec0d57 | Cobalt Strike |
3e2bda57454efa2e87ae4357f5c6c04edafa6b1efcda8093cbfd056a211d0f39 | Cobalt Strike |
840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3 | Cobalt Strike |
6cf60c768a7377f7c4842c14c3c4d416480a7044a7a5a72b61ff142a796273ec | Cobalt Strike |
5adfef3f7721d6616650711d06792c087fd909f52435c8124c5f940f7acbdb48 | Cobalt Strike |
270c888f8fbeb3bdc2dbcf8a911872791e05124d9bd253932f14dc4de1d2aed2 | Cobalt Strike |
6c5338d84c208b37a4ec5e13baf6e1906bd9669e18006530bf541e1d466ba819 | Cobalt Strike |
0f4fa41c4ab2ac238cbe92438cb71d139a7810c6c134b16b6c6005c4c5b984e4 | Cobalt Strike |
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa | Cobalt Strike |
c4753ca743f0bfa82590e9838ad48af862814052e5c90a6dab97c651942a9d61 | Cobalt Strike |
040f59f7e89787ee8db7ba44a11d7ed2ce9065ac938115933ca8cb37bb99abc5 | Cobalt Strike |
89a09433e0a57d8c01d5bab4ef4e6def979d2bc8e1ffad47ee6eadd3b85d09e9 | Cobalt Strike |
64dd55e1c2373deed25c2776f553c632e58c45e56a0e4639dfd54ee97eab9c19 | Cobalt Strike |
523dcd9d9b971a8b4c53b5cfd9a003d7fcc0e6a4e0a06039db7f87ba7fb0a167 | Cobalt Strike |
664bb48bf3e8a7d7036e4b0029fa10e1a90c2562ad9a09a885650408d00dea1b | Cobalt Strike |
461ba29d9386de39071d8f2f7956be21fb4fa06df8dd1db6dec3da0982e42f9f | Cobalt Strike |
d551b4f46ad7af735dfa0e379f04bdb37eda4a5e0d9fe3ea4043c231d034176c | Cobalt Strike |
8b23414492ebf97a36d53d6a9e88711a830cbfb007be756df4819b8989140c2d | Cobalt Strike |
a8611c0befdb76e8453bc36e1c5cfea04325e57dffb21c88760c6e0316319b36 | Cobalt Strike |
d4e9986e9ad85daae7fabd935f021b26d825d693209bed0c9084d652feef0d77 | Cobalt Strike |
a7f477021101837696f27159031c27afec16df0a92355dfe0eb06e8b23bff7f6 | Cobalt Strike |
00be065f405e93233cc2f0012defdcbb1d6817b58969d5ffd9fd72fc4783c6f4 | Cobalt Strike |
3f0256ae16587bf1dbbd3b25a50f972883ae41bce1d77f464b2a5c77fd736466 | Cobalt Strike |
e2a5fb1ca722474b76d6da5c5b1d438a1e58beca52864862555c9ab1b533e72d | ScreenConnect |
ea38cff329692f6b4c8ade15970b742a9a8bb62a44f59227c510cb2882fa436f | ScreenConnect |
d7267fe13e073dcfe5b0d319e41646a3eb855444d25c01d52d6dab9de695e1b1 | ScreenConnect |
91605641a4c7e859b7071a9841d1cd154b9027e6a58c20ec4cadafeaf47c9055 | ScreenConnect |
df28158ea229ab67f828328fc01ea7629f3b743ecea8c0b88fba80cd7efc3a75 | ScreenConnect |
5778bf9e4563a80ec48e975eaa81fd6fe2f4b504ffcd61fcfbceb65a45eb8345 | ScreenConnect |
bcaa3d8dcba6ba08bf20077eadd0b31f58a1334b7b9c629e475694c4eeafd924 | ScreenConnect |
d40ae98a7d18c2c35c0355984340b0517be47257c000931093a4fc3ccc90c226 | ScreenConnect |
935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2 | Atera |
d0ceb18272966ab62b8edff100e9b4a6a3cb5dc0f2a32b2b18721fea2d9c09a5 | Atera |
840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3 | Atera |
cef987a587faded1a497d37cf8d1564a287ef509338dbd956ea36c8e6aa9a68e | Atera |
bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527 | Atera |
3a3fe8352e0a2bca469dba0dc5922976d6ba4dc8b744ac36056bfb25dbf7fc68 | Atera |
8258756c2e0ca794af527258e8a3a4f7431fbd7df44403603b94cb2a70cb1bdf | Atera |
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 | Atera |
486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d8 | Atera |
6f88fb88ffb0f1d5465c2826e5b4f523598b1b8378377c8378ffebc171bad18b | Atera |
ec436aeee41857eee5875efdb7166fe043349db5f58f3ee9fc4ff7f50005767f | Atera |
5d8f9cf481d72c53438cdfff72d94b986493e908786e6a989acad052d1939399 | Atera |
5157d2c1759cb9527d780b88d7728dc4ba5c9ce5fddff23fb53c0671febb63bc | Atera |
de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c | Atera |
9a7c58bd98d70631aa1473f7b57b426db367d72429a5455b433a05ee251f3236 | Atera |
ff79d3c4a0b7eb191783c323ab8363ebd1fd10be58d8bcc96b07067743ca81d5 | Atera |
35e6742e840490ee8ccfbbccacd5e7e61a1a28a2e23fb7b5083a89271a5fd400 | Atera |
265b69033cea7a9f8214a34cd9b17912909af46c7a47395dd7bb893a24507e59 | WinRAR |
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba | WinRAR |
b1e7851bd2edae124dc107bec66af79febcb7bc0911022ac31b3d24b36b3f355 | WinRAR |
8258756c2e0ca794af527258e8a3a4f7431fbd7df44403603b94cb2a70cb1bdf | WinRAR |
9e3c618873202cd6d31ea599178dd05b0ab9406b44c13c49df7a2cbc81a5caa4 | WinRAR |
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 | WinRAR |
d1144b0fb4e1e8e5104c8bb90b54efcf964ce4fca482ee2f00698f871af9cb72 | WinRAR |
0244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7 | WinRAR |
0d068a6aa2df88613e1c5c7ba412a5a5bc3cadc3f3ab4b76d10035ba8eec27bf | WinRAR |
33f6acd3dfeda1aadf0227271937c1e5479c2dba24b4dca5f3deccc83e6a2f04 | Restic |
99abf0d33e2372521384da3c98fd4a3534155ad5b6b7852ebe94e098aa3dc9b8 | TightVNC |
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c | WinSCP |
eea7d9af6275c1cbf009de73a866eac4bc5d0703078ffe73b0d064cca4029675 | WinSCP |
2e64bf8ca66e4363240e10dd8c85eabbf104d08aba60b307435ff5760d425a92 | Pandora RC |
40c81a953552f87de483e09b95cbc836d8d6798c2651be0beba3b1a072500a15 | Chisel |
d3b125f6441485825cdf3e22e2bfdeda85f337e908678c08137b4e8ef29303db | Chisel |
b9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767b | Chisel |
9b78a7d8fd95fe9275c683f8cca54bc6c457b2cb90c549de227313a50da4fc41 | Chisel |
7ef2cc079afe7927b78be493f0b8a735a3258bc82801a11bc7b420a72708c250 |