Ransomware threat actors have been extorting money after taking control over organizations’ internal networks, distributing ransomware, encrypting systems, and holding system restoration for ransom. Recently, however, threat actors not only encrypts the systems but also leaks internal data and threatens to expose them publicly if the ransom is not paid.
Usually, these threat actors collect data, compress them, and leak them publicly. In such processes, threat actors utilize many legitimate utility programs. These programs already allow stable transfer of large-sized data, so self-manufacturing is not needed, unlike ransomware for file encryption or malware strains for initial access.
Over the years, many ransomware threat actors have engaged in malicious activities, but they mostly used a limited selection of tools during their data leak phase. Most of them leak data via FTP protocol and the cloud. For FTP, threat actors mainly use WinSCP and FileZilla, and for the cloud, they mostly use MegaSync and Rclone. The mentioned tools are popular amongst regular users and administrators for work and personal purposes. Because of these two factors, antivirus software on its own may not be able to effectively block threat actors from using legitimate tools to leak data that exist inside the organizations’ internal systems.
AhnLab EDR (Endpoint Detection and Response) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on South Korea’s only self-behavior-based engine. AhnLab EDR collects information on suspicious behaviors by type around the clock, allowing users to precisely perceive threats from a detection, analysis, and response perspective. Comprehensive analysis using the collected data allows administrators to identify the cause, make appropriate responses, and establish processes to prevent threat recurrence.
This article discusses cases in which administrators can use AhnLab EDR to detect tools used by attackers in the data leak phase to discover causes and form appropriate measures.
WinSCP is an FTP client tool that supports file transfer between clients and servers. It is one of the most popular FTP client tools use by many users because it is free and supports not just FTP, but also various protocols such as FTPS, SFTP, and SCP.
Given its popularity, there have been cases where many threat actors used ransomware such as Hive , Akira , and Maze  during the data leak phase. AhnLab EDR detects the activity of using WinSCP (a legitimate program) to transfer data as a key behavior as shown below, and helps administrators recognize the behavior.
FileZilla, like WinSCP, is an FTP client tool which supports protocols such as FTP, FTPS, and SFPT. It is also commonly used because most of its features are free to use.
Some of the ransomware threat actors who use FileZilla to steal organizations’ internal data are LockBit , Conti , and BlackCat (ALPHAV) . AhnLab EDR detects the activity of using FileZilla (a legitimate program) to transfer data as a key behavior as shown below, and helps administrators recognize the behavior.
MEGA is a cloud storage service provider that supports a client program named MegaSync for the upload/download of large-sized files. Ransomware threat actors compress the data stolen after dominating the internal network, and upload it onto MEGA Cloud. There were multiple cases in which threat actors installed MegaSync—provided by MEGA Cloud as mentioned above—and used it to upload the data.
Ransomware threat actors known to use MegaSync during the data leak phase are Nefilim , Money Message , and Revil . AhnLab EDR detects the activity of using MegaSync (a legitimate program) to transfer data as a key behavior as shown below, and helps administrators to recognize the behavior.
Rclone is a program that supports file transfers for various cloud storage services. It supports most of the operating systems such as Windows, Linux, and Mac, as well as a majority of cloud services such as Dropbox, Google Drive, Microsoft OneDrive, and MEGA Cloud. Threat actors save the cloud service and account information (which will be used to upload leaked data) into the configuration file and upload data for leak using the following commands .
Compared to the tools introduced above, Rclone is used by even more attackers and is found in significantly more attack cases due to its large range of cloud service support. Besides Revil, Conti, Akira, and BlackCat mentioned above, other ransomware threat actors such as BlackBasta , Cactus , DarkSide , and Royal  have used Rclone in their attacks. AhnLab EDR detects the activity of using Rclone (a legitimate program) to transfer data as a key behavior as shown below, and helps administrators to recognize the behavior.
Ransomware threat actors, after dominating organizations’ internal networks, steal internal data before encrypting their systems to threaten the victims. During the data leak phase, threat actors mainly use tools such as WinSCP, FileZilla, MegaSync, and Rclone. These tools are programs that many users use in their normal and regular tasks. As malicious activities are carried out using legitimate tools, an antivirus software on its own may have difficulties detecting and blocking them.
AhnLab EDR detects the activity of legitimate tools that are used during the data leak phase as a key behavior and helps administrators recognize the behavior. Administrators can use AhnLab EDR’s capability to find causes and form appropriate measures. Even when the systems are exposed to ransomware attacks, data can still be gathered from the targeted systems which can be used as evidence for the investigations.
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.