Ransomware’s New Trend: Exfiltration and Extortion

Author: Drew Schmitt September 17, 2020

It has almost become cliche in cybersecurity that the threat landscape continues to evolve quickly. Following this well-defined trend, we have observed that two key areas have seen a rapid evolution in recent years: data exfiltration and extortion. Our data shows that cyber criminals are exfiltrating data more frequently and increasingly leveraging that data to coerce well-chosen targets to comply with their demands.

In 2018-2019, threat actors began to focus their attacks on targeted victims, taking the time to research both the individuals and their systems before they struck, as we discussed in our previous ransomware white paper. These threat actors of the past two years used their research to up the ante in ransoms costs, by using knowledge of victim financials to refuse to negotiate on initial demands. It wasn't until the end of 2019 that a new trend emerged. Threat actors are not only encrypting data and demanding a ransom for decryption, many are first exfiltrating data from the victim organization and threatening to post it publicly, including on public “shaming” websites, if their ransom demands are not met. The threat inherent in ransomware has escalated yet again.

By the end of Q2 2020, successful data exfiltration during ransomware attacks was observed in 22 percent of all such attacks,1 as discovered by Coveware. Where once the primary concern of ransomware was recovering data and restoring critical systems, today’s victims now have three significant concerns to contend with in this threat type: 1. How do we regain access to our critical business data and systems? 2. What did they take while they were in our systems? 3. What are our reporting obligations?

Until the end of 2019, most would define ransomware as malware that encrypts or locks the victim’s files until a ransom is paid. However, with the rise of variants like Maze, Netwalker, and LockBit, the industry is expanding its definition to incorporate the concept of extortion as core, to include the growing trend of data exfiltration and public shaming websites during many attacks.

In this whitepaper, we will explore the trend of data exfiltration during ransomware attacks, the anatomy of this type of attack, commonly associated Techniques, Tactics, and Procedures (TTPs), and best practices to defend against them. We will also illustrate how these attacks look in real life by reviewing a case study of a recent LockBit attack we observed.

The way we define ransomware is changing. Let’s explore the details of this new trend.

Data Exfiltration During a Ransomware Attack


Figure 1: General Exfiltration-Focused Ransomware Attack Diagram

The Typical Exfiltration-Focused Ransomware Attack

During our investigations of exfiltration-focused ransomware attacks, we have found that there is a common methodology that most threat actors employ as part of their attack lifecycle.

Each ransomware group has their own signatures and TTPs, resulting in a variety of initial intrusion vectors and operating methodologies leading up to data exfiltration. Initial intrusion trends we typically observe include remote desktop protocol (RDP) and phishing emails that often lead to threat actors entering the environment; however, this white paper will focus on threat actor TTPs geared toward data exfiltration and extortion.

The first stage of the methodology, which we call “pre-exfiltration actions,” consists of all actions taken prior to the beginning of the data collection and staging activities needed before successful exfiltration can occur. This is the area where we observe the greatest degree of variation between threat actors. During the pre-exfiltration actions, the threat actor will commonly establish access and persistence to the environment while conducting reconnaissance to identify high-priority systems that may contain sensitive data.

Once the threat actor has identified priority systems on the network and moved laterally to the targeted systems, they will commonly begin the collection and staging phase of their attack. During this phase, they will search for files that appear to contain sensitive content and begin to stage them for exfiltration. The staging effort may be conducted on a per-system basis, or it may reside on a single system that contains staged files from all impacted systems.

Once the threat actor has accomplished their goal of data collection and staging, they will begin to perform data exfiltration. There are many methods of exfiltrating data; however, we have observed a large increase in the number of third-party file sharing applications used for this purpose. Most of these products leverage web browsers and internet connectivity to blend in with expected web traffic during the exfiltration process.

Once the data has been successfully exfiltrated from the environment, the threat actor will commonly deploy and execute ransomware in the victim environment before leaving to conduct the extortion phase of the attack.

The Extortion Phase

With the rise in data exfiltration during ransomware attacks came a rise in “shaming” websites, which are leveraged by threat actors to extort victims into paying the ransom. The shaming website is used by threat actors as a tool to publicly name victims and post stolen data in an effort to extort them into paying the ransom demand. In some cases, we observe the shaming websites only drawing attention to specific victims that have been affected by the ransomware group by merely naming them. However, to add legitimacy to the threat actor’s claim and put additional pressure on the victim, they most often will publish a small subset of data exfiltrated from the victim’s environment.

If the victim organization chooses to pay the ransom demanded, threat actors typically both remove the victim’s data from the shaming site and provide the decryption key and decryption utility for the victim organization to recover their files. In very limited circumstances, we have observed threat actors request a second payment to also remove the victim’s data from the shaming site after the first ransom payment had already been made. If the victim organization chooses not to pay the ransom, threat actors will typically post the remaining exfiltrated data to the shaming site; however, in a limited number of our investigations, the threat actors have not posted additional data to the shaming site as they originally threatened.

As part of our intelligence gathering process, we closely monitor over 10 shaming sites for changing extortion techniques and victim organizations.

LockBit Case Study

We first began seeing LockBit attacks in the last two quarters of 2019. As we discussed above, LockBit has followed the trend of other ransomware groups that use an extortion site to publish data stolen during the attack. LockBit has been associated with the Maze Cartel ransomware group, as LockBit publishes exfiltrated data on the Maze Cartel’s extortion site. The threat actors behind LockBit typically move very quickly, accessing an environment within a few hours before deploying the self-propagating ransomware that can infect hundreds of devices. Globally, the attacks are mostly focused on corporate environments.

Over the past 12 months, Crypsis has investigated dozens of LockBit cases. The majority have encompassed the key TTPs discussed above. Using the MITRE Attack Framework, we will walk through a recent LockBit ransomware case during which data was exfiltrated. It is also important to note that LockBit is known to be used as a Ransomware as a Service (RaaS), which may lead to variability in the TTPs used.

Anatomy of a LockBit Attack Through a MITRE Lens


Figure 2: LockBit Attack Diagram

Initial Access

MITRE ATT&CK Techniques: T1133

In our experience, LockBit leverages valid user credentials to access the target organization through Remote Desktop Protocol (RDP) services exposed to the internet or Virtual Private Network (VPN) services. In each scenario, the threat actor is able to access and remain within the environment as long as the account credentials remain valid.

In many cases, we observed that valid credentials were obtained through the use of brute force password guessing attacks, which allowed the threat actor to repeatedly attempt to authenticate to the targeted service until valid credentials were discovered.


MITRE ATT&CK Techniques: T1059, T1569


Figure 3: LockBit desktop background

During our investigations, we observed the threat actor use a Windows executable to propagate the ransomware on the system. The execution of LockBit resulted in encrypted files using the “.lockbit” file extension, the creation of multiple files named “Restore-My-Files.txt,” and a file placed on a user’s desktop called “LockBit-note.hta.” Each version of the ransom note contained information needed to contact the threat actor to arrange payment in exchange for a decryption key. The desktop background was also changed to point the impacted system’s user to “Restore-My-files.txt” for further information regarding their encrypted files.


Figure 4: LockBit Read Me File Example


Figure 5: Read Me File 2 Example

Additionally, we observed that the execution of LockBit results in the creation of a registry run key to establish persistence for the ransomware executable and the storage of victim information in the registry key “SOFTWARE\LockBit.”


Figure 6: Reg Victim Info Example

Our findings regarding execution are consistent with analysis completed by McAfee Labs and SophosLabs and details can be found in their respective blogs. In several cases, the threat actor leveraged Windows services to execute malware associated with the remote access tool Meterpreter. This technique allowed the threat actor to utilize a service for a one-time execution of Meterpreter, which may also contribute to persistence and privilege escalation capabilities.


Figure 7: Meterpreter EID: 7045 Image


MITRE ATT&CK Techniques: T1547

During several investigations, we have found that LockBit establishes persistence by leveraging Windows registry run keys. During our investigations, we most commonly saw LockBit establish persistence utilizing “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” as shown in the example below.


Figure 8: Run Key LockBit

Additionally, LockBit established persistence for the HTA version of the ransom note utilizing HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run as shown below.


Figure 9: Run Key HTA

Privilege Escalation

MITRE ATT&CK Techniques: None Observed

During our investigations, we did not commonly see explicit attempts at privilege escalation through exploiting vulnerabilities in software or the Windows operating system. Most commonly, we witnessed the threat actors utilize tools such as Mimikatz to obtain the credentials of privileged accounts.

Defense Evasion

MITRE ATT&CK Techniques: T1070, T1562

The threat actors behind LockBit, like many other ransomware groups, have been known to use GMER to stop security tools, such as anti-virus and endpoint detection and response (EDR), from effectively running in the environment in an effort to prevent alerting and detection by the victim organization.

Additionally, the LockBit threat actors commonly clear event logs as part of their evidence destruction process. We have frequently seen the threat actors use the commands below to clear the system, application, and security event logs:

wevtutil cl system

wevtutil cl application

wevtutil cl security

Credential Access

MITRE ATT&CK Techniques: T1003

Again, like many other ransomware groups, LockBit is most commonly seen utilizing Mimikatz to obtain dumps of the Windows Local Security Authority Subsystem Service (LSASS) to retrieve credentials of legitimate user and administrator accounts to aid in lateral movement and post-exploitation actions.


MITRE ATT&CK Techniques: T1016, T1018, T1033, T1046, T1049, T1069, T1082, T1087, T1482

The threat actors behind LockBit reconnoiter the victim environment heavily before beginning to pursue lateral movement and post-exploitation actions. During our investigations, we have found that Sysinternals tools such as PsGetSid are used to translate user accounts to their corresponding SID and vice versa. Additionally, the threat actors leverage several tools to conduct network discovery including Advanced Port Scanner and Softperfect Network Scanner. Lastly, the threat actors commonly retrieve detailed information about the victim Active Directory environment using tools such as ADFind.

Although these tools are not explicitly indicative of the threat actors associated with LockBit, the utilization of these tools for discovery provides critical insight into the operating methodology of the threat actors.

Lateral Movement

MITRE ATT&CK Techniques: T1021, T1072

The Lateral Movement phase is critical for the LockBit threat actors. Based on our investigations, the LockBit threat actors are searching for sensitive data to exfiltrate from the environment prior to conducting the ransomware attack.

Most commonly, we have seen the LockBit threat actors leverage valid credentials obtained in other phases of the attack and RDP for interactive access to additional systems on the network. During our investigations, we found that interactive access was most commonly associated with the collection, staging, and exfiltration of data from the network using third-party file sharing utilities.

In other cases, we see the threat actors leveraging interactive access to execute tools such as Mimikatz, PsExec, and the LockBit executable through the use of file shares on compromised systems in the victim environment.


MITRE ATT&CK Techniques: T1005, T1039, T1074, T1213

As mentioned previously, from our experiences investigating the LockBit threat actors, the collection of files most commonly occurs through interactive RDP access by the threat actor. During this phase in the LockBit attack, the threat actors prepare a third-party file sharing application for use and stage the collected files in specific file locations in preparation for exfiltration.

Command and Control

MITRE ATT&CK Techniques: T1573, T1219

We have not observed any command and control communication from the LockBit executables; however, as mentioned previously, we have discovered that the threat actors have used Meterpreter during some of their attacks. This allows the threat actors to communicate directly with the impacted system without needing interactive access through services like RDP.


MITRE ATT&CK Techniques: T1567

Exfiltration in LockBit cases is extremely common. Based on our investigations, we have seen the use of third-party file transfer utilities become the most widely used exfiltration method. LockBit threat actors have used common FTP utilities like FileZilla but have gravitated toward using free file syncing and sharing utilities like FreeFileSync and MEGA. Each of these solutions is free for use by the threat actors with minimal setup and extremely effective at exfiltrating data from the victim environment.

FreeFileSync is a free and open source data synchronization utility aimed at backing up Windows, MacOS, and Linux devices. This application allows the threat actors to easily sync files from one system to another. Additionally, the file syncing actions can be completed at the command line, which minimizes the likelihood of being detected during execution and can be completed remotely.


Figure 10: The command line capabilities of FreeFileSync

MEGA, also commonly referred to as MegaSync, is another frequently used file sharing utility that has become extremely popular by the LockBit threat actors. The service provides a free, 50GB account, which allows a low bar of entry to exfiltrating data using various forms of the MEGA application including a desktop application, command line tool, or browser extension.

One main advantage for the LockBit threat actors is that MEGA is a cloud-based application, so there is no infrastructure build out needed to transfer the data from the victim environment to the attacker-controlled MEGA account. With a valid email account and access to a web browser, access to MEGA can be established in just a few minutes, and the threat actor has the ability to upload files from the victim system. An alternative observed during our investigations was the use of the MEGA desktop application, which provides the same file transfer capabilities as the web version.


Figure 11: The MEGA web based interface used during data exfiltration

Another critical advantage provided by utilizing MEGA is baked into end-to-end encryption, which makes blue team detections via network signatures difficult. Blue teams would need to rely on aggregated flow data based on an established baseline to detect anomalies in the environment; however, with so many tools and suites utilizing cloud storage, this activity might not appear to be malicious at all.

We most commonly observed LockBit threat actors staging collected files and archives in directories named for each system data was exfiltrated from. The threat actors then uploaded the contents of each directory to the MEGA console before moving to conduct the execution of ransomware across the environment.


MITRE ATT&CK Techniques: T1485, T1486, T1490

Like many ransomware groups, the LockBit threat actors focus on data destruction to prevent the victim organization from being able to easily recover after the ransomware attack has been completed.

During the data destruction effort, the LockBit threat actors have been seen to execute the following commands that delete volume shadow copies from the impacted system, delete the Windows backup catalog, and prevent the impacted system from performing recovery capabilities such as booting into Automatic Startup Repair.

vssadmin delete shadows /all /quiet

wmic shadowcopy delete

bcdedit /set {default} bootstatuspolicy ignoreallfailures

bcdedit /set {default} recoveryenabled no

wbadmin delete catalog -quiet

And of course, this was a ransomware attack, so files on impacted systems were encrypted and not able to be accessed without the decryption key.


Figure 12: Summary of MITRE ATT&CK Tactics and Techniques Leveraged During the LockBit Attack

Lessons Learned

The technique of data exfiltration and extortion during ransomware attacks demonstrates how threat actors continue to find new and destructive ways to target victims, earn money for their efforts, and coerce victims to pay. Organizations are now facing a triple threat, facing potentially significant financial loss through encrypted files, concerns about data theft, and worries about reporting requirements, which can lead to reputational damage. With the continued growth in use of this technique (and as highlighted in our LockBit case study), this new definition of ransomware appears to be here to stay.

The evolution of ransomware continues - recent research suggests that a new trend may be emerging where ransomware gangs are attempting to bribe insiders to help them launch ransomware attacks, increasing the complexity of protecting against these destructive attacks.

We recommend organizations implement the following best practices to help mitigate the risk of both a ransomware attack and associated data exfiltration:

  • Integrate multi-factor authentication (MFA) for all remote access, internet accessible, and business email accounts.
  • Disable any direct external RDP access and ensure all external remote administration is conducted through an enterprise-grade MFA VPN
  • Conduct comprehensive, rigorous end user training on standard and advanced phishing and social engineering techniques. It is important to tailor the curricula to fit your organization and employee roles
  • Patch all systems as quickly as possible
  • Set up alerting on anonymous logins based on geolocation and other parameters that fit possible malicious activity, including Non-RFC1918 addresses logging in using RDP
  • Understand where sensitive data lives and implement strong access controls to protect that data; monitor and audit access regularly.
  • Leverage log aggregation systems, such as a Security Information and Event Management (SIEM) system, to increase log retention, integrity, and availability.
  • Regularly create and test backups; ensure the backups are stored off network and are protected so threat actors cannot gain access and disable or delete backups to prevent recovery.

1 https://www.coveware.com/blog/q2-2020-ransomware-marketplace-report

Topics: Security Insights