Uncommon tactic
Interestingly, the Global Group ransomware operates in a fully mute mode – that is, instead of communicating through a command and control server, it performs all activity locally on the compromised system. “This tactic is very uncommon,” McElligott said in an email. “Typically, modern ransomware relies on network communication to enable encryption, data exfiltration, double extortion tactics, leak sites, and negotiation infrastructure. Stolen data is used to increase pressure on victims to pay the ransom demands.”
The ransomware doesn’t retrieve an external encryption key; instead, it generates the key on the host machine itself. As a result, despite the claims made in its ransom note, data isn’t exfiltrated.
Exfiltrating data can slow attacks and leave more forensic artifacts, McElligott explained. By focusing on encryption only, ransomware attacks can be deployed faster, hit more victims, and be less likely to be detected. In many cases, she added, data exfiltration isn’t necessary to force payment, as encryption alone can cause significant downtime.
Read the full article here
