Uncommon tactic
The Global Group ransomware has adopted a strikingly unconventional approach by operating entirely in a silent mode. Unlike typical ransomware that relies on a command and control server for communication, this variant executes all its activities locally on the compromised system. As cybersecurity expert McElligott noted in a recent email, “This tactic is very uncommon.”
In the realm of modern ransomware, the norm involves leveraging network communication to facilitate various malicious activities, such as encryption, data exfiltration, and double extortion tactics. These methods often include leak sites and negotiation frameworks designed to pressure victims into complying with ransom demands. However, the Global Group ransomware diverges from this established pattern.
Rather than retrieving an external encryption key, this ransomware generates the key directly on the host machine. Consequently, despite the assertions made in its ransom note, there is no actual data exfiltration taking place.
McElligott elaborated on the implications of this approach, explaining that exfiltrating data can complicate attacks and leave behind a trail of forensic evidence. By concentrating solely on encryption, the ransomware can execute attacks more swiftly, target a broader range of victims, and reduce the likelihood of detection. In many instances, she added, the mere act of encryption is sufficient to compel payment, as it can lead to significant operational downtime for the affected organizations.
