Week 39 | 26th – 30th September 2022

Key Issue: FIN7 adopts new tactics and upgrades ALPHV ransomware capabilities
Cybercriminals: Cybercriminals compromise telecommunications organisations
Nation-State: Chinese state espionage units target Tibetan and Uyghur communities
Hacktivists: Anonymous targets Iranian-state entities amid human rights protests

FIN7 adopts new tactics and upgrades ALPHV ransomware capabilities

This week we reported on the ransomware-as-a-service (RaaS) group, FIN7. The group has adopted new tactics, techniques, and procedures, including, an upgrade to its ALPHV ransomware capabilities to feature both the Exmatter data exfiltration tool and Eamfo information-stealing malware. The group’s latest version of ALPHV is the first instance of ransomware coded in Rust being used in real-world operations. This development of the capability to corrupt exfiltrated files within the victim’s environment marks a novel shift in data ransom and extortion tactics in which victim data is destroyed rather than encrypted. Destroying data in a victim’s environment means that only the threat actor maintains a copy of the files post-intrusion, greatly increasing their leverage for payment. This shift is likely driven in part by the intensive process of development required for ransomware  encryption tools that provide a capability that is largely redundant if a victim’s data can be reliably exfiltrated and then corrupted using malware. This has potential implications for the data extortion threat landscape as lower-cost exfiltration and corruption tools may make it possible for current RaaS affiliates to strike it out on their own, replacing development-heavy encryption ransomware with data destruction and exfiltration.