Uncommon tactic
The Global Group ransomware has introduced a distinctive approach to its operations, functioning entirely in a mute mode. Unlike traditional ransomware that typically communicates with a command and control server, this variant executes all its activities locally on the compromised system. As McElligott noted in a recent email, “This tactic is very uncommon.”
Modern ransomware usually relies on network communication for various purposes, including encryption, data exfiltration, and employing double extortion tactics. These methods often involve leak sites and negotiation infrastructures, where stolen data is leveraged to exert pressure on victims to comply with ransom demands. However, the Global Group ransomware diverges from this norm.
Rather than retrieving an external encryption key, it generates the key directly on the host machine. Consequently, despite the assertions made in its ransom note, no data is actually exfiltrated. This approach not only streamlines the attack process but also minimizes the risk of detection.
McElligott elaborated on the advantages of this method, explaining that exfiltrating data can slow down attacks and leave behind more forensic artifacts. By concentrating solely on encryption, ransomware attacks can be executed more swiftly, allowing them to target a larger number of victims while reducing the likelihood of being discovered. In many instances, she pointed out, the mere act of encryption can create enough disruption to compel victims to pay the ransom, rendering data exfiltration unnecessary.
