While traditional ransomware attacks can cause significant harm, such as disrupting businesses and resulting in data loss, there are cases where atypical attacks, despite being labeled as ransomware, do not involve data encryption.
These encryption-less attacks may involve malware that steals data and uses it to extort the targeted organization through public leaks or by creating the illusion of encryption, also known as “scareware.”
These types of attacks can still have a significant impact on victims, potentially leading to financial loss and service outages, depending on the circumstances.
Instances of Scareware posing as ransomware have been recently discovered by researchers from the CYFIRMA team. One example is a new strain of malware called ‘ALC Ransomware,’ which pretends to be ransomware but is actually scareware.
Instead of encrypting files on the victim’s machine, this malware disables the task manager, locks the screen, and displays a ransom note. Although this is more of an annoyance than an actual threat, unsuspecting users or surprised employees may fall for the ruse.
The entire process takes only seconds, indicating that no encryption actually occurs. However, this sign may be easily missed if the attacked systems are not actively monitored by IT staff.
The scareware demands the victim to send 554 XMR (Monero), equivalent to approximately $85,000 USD, to the attacker’s wallet in order to receive a working decryptor in return. The ransom note provides an email address and Telegram for communication, and the victim is advised to contact the threat actor using their ID. However, CYFIRMA has found that the victim ID is always the same, indicating that there is no unique decryption key to derive from it.
ALC ransomware appears to be poorly crafted and may be in its early stages of development or created by low-tier cybercriminals lacking the skills to develop a legitimate data locker. Nevertheless, ALC ransomware is still active and has been observed targeting Russia and its counterparts, causing significant damage to the affected organizations, according to CYFIRMA’s findings.
In addition to scareware posing as ransomware, there are also ransomware gangs that skip the encryption step and focus on stealing data and extortion instead. For example, the BianLian ransomware gang, as reported by cybersecurity company Redacted, has abandoned their previous strategy of deploying a custom data locker on victim devices and now focuses on delivering more powerful extortion arguments to their victims.
Furthermore, there are new ransomware operations, such as SnapMC, analyzed by NCCGroup, that solely focus on stealing data from breached organizations’ networks and do not utilize a ransomware strain at all. This has given rise to extortion groups like Karakurt and RansomHouse, which do not use any ransomware tools but instead receive stolen data from affiliated network intruders and conduct extortion against victimized organizations.
Ransomware attacks can vary in complexity and characteristics depending on the threat actor and the type of strain used, or not used. Engaging experts in the field, such as MonsterCloud, can be the best way to handle the aftermath of ransomware attacks and mitigate their impact in a timely and confident manner.
MonsterCloud possesses the knowledge and expertise to identify encryption-less threats, eradicate any remnants of malware from breached systems, and enable organizations to return to normal operations quickly and securely.