Cato CTRL Threat Research: Sophisticated Data Exfiltration Tools Used in Double Extortion Ransomware Attacks by Hunters International and Play 

Executive Summary

Modern ransomware attacks have evolved beyond simple encryption to deploy sophisticated double extortion tactics. Threat actors now systematically exfiltrate sensitive data before encrypting systems, ensuring leverage even when victims have robust data backups. Some ransomware gangs have even abandoned encryption altogether, recognizing that the threat of data exposure often proves more compelling for ransom payment. 

The financial stakes are significant, with IBM reporting the global average cost of a data breach in 2024 is $4.88 million USD. These costs are driven by regulatory fines, legal expenses, and lasting reputational damage, particularly when sensitive or personal data is involved. Threat actors capitalize on this by publishing proof of stolen data on dark web forums to increase pressure on victims. 

Recent investigations by the Cato CTRL and Cato MDR teams into two separate cases involving the Hunters International and Play ransomware gangs have identified a critical early warning sign to double extortion: unusual internal data-copying activities. While organizations typically focus on monitoring external data uploads, this internal movement often serves as a preliminary step in the exfiltration process but frequently goes undetected. 

(Note: A high-level case study of Hunters International was included in our recently published Q3 2024 Cato CTRL SASE Threat Report.) 

Cato Networks offers a dynamic and proactive defense with the Cato SASE Cloud Platform by blocking modern ransomware attacks throughout the attack chain. Key protective measures include: 

• Network-based DLP protection to block sensitive file uploads.  

• Advanced anomaly detection engine to identify unusual data movement patterns that deviate from normal behavior. 

• Sophisticated heuristics to detect and block specific tools used in the exfiltration process. 

• Cutting-edge research and analysis by Cato CTRL to stay ahead of emerging threats. 

Technical Overview 

Hunters International 

Hunters International is a relatively new but highly active ransomware gang that emerged in late 2023. This group is believed to have evolved from the now-defunct Hive ransomware gang, displaying notable technical similarities in their operations. Hunters International operates under the Ransomware-as-a-Service (RaaS) model, allowing them to provide tools and services to other cybercriminals, which significantly expands their reach and impact. 

The group’s tactics, techniques, and procedures (TTPs) are sophisticated and constantly evolving. They typically gain initial access through phishing emails, social engineering, supply chain attacks, and Remote Desktop Protocol (RDP) exploits. Once inside a network, they use various methods to maintain persistence, such as boot or logon AutoStart execution. They also employ obfuscation techniques to evade detection and impair defenses, making it challenging for security teams to identify and mitigate their attacks. 

WorkersDev Backdoor 

In an investigation of a UK-based technology company in July 2024, the backdoor WorkersDev was found to be used as an initial infection vector of Hunters International. This malware is delivered through malvertising domains designed to lure IT administrators by advertising IT scanner tools.  

RoboCopy  

RoboCopy, short for “Robust File Copy,” is a powerful command-line utility included with Windows operating systems. It is designed to efficiently copy large amounts of data, making it a preferred tool for IT professionals and system administrators. RoboCopy is particularly useful for tasks such as data migration, backup, and synchronization of files and directories across different locations. 

During our investigation, we observed RoboCopy being used by Hunters International. This is an example of Living-Off-the-Land Binaries (LOLBins), which are legitimate system tools that threat actors exploit to execute malicious activities. This tactic makes detection and mitigation more challenging for security teams, especially in ransomware attacks. 

One of the key features of RoboCopy is its ability to handle SMB (Server Message Block) traffic. When using RoboCopy over SMB, the tool can copy files between different systems on a network, leveraging the SMB protocol to ensure secure and reliable data transfer. 

RoboCopy supports various options and switches that enhance its functionality over SMB. For instance, it can perform multi-threaded copies, significantly speeding up the transfer process by copying multiple files simultaneously. Additionally, RoboCopy can preserve file attributes and timestamps, ensuring that the copied files retain their original properties. This is particularly important for maintaining data integrity during migrations or backups. Below is an example of how RoboCopy is used.  

Figure 1. RoboCopy parameters

Play 

The Play ransomware gang has become notorious in the cybercriminal world for its sophisticated and rapidly evolving TTPs. This group is particularly known for exploiting public-facing applications, which includes taking advantage of vulnerabilities such as those in FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082). Their approach often involves leveraging external-facing services like Remote Desktop Protocol (RDP) and a Virtual Private Network (VPN) to gain initial access to targeted systems. The group is adept at identifying and exploiting weaknesses in these systems, making them a formidable threat to organizations worldwide.  

During the exfiltration process, they utilize automated tools to copy the victim’s data to a secure location within the network, preparing it for exfiltration. In an investigation of a US-based construction company in May 2024, we identified a tool known as GreenCollector, which was used to copy data before exfiltration. This is the first time that Play has been observed using this tool in the data exfiltration process. In this blog, we will delve deeper into the capabilities of GreenCollector and its role in Play’s attack strategy. 

GreenCollector 

During our investigation, we identified GreenCollector as part of Play’s arsenal. GreenCollector facilitates the copying of files between machines using the SMB protocol, serving as a prerequisite for data exfiltration. The group uses this tool to transfer data to specific destinations within the network, subsequently archiving the data into RAR files for exfiltration. This tool automates the data copying process, streamlining the attacker’s workflow. 

Our analysis of the GreenCollector tool revealed that it accepts a single parameter, specifying a directory path and then copies the data from that path to the execution directory, as shown in Figure 2 below. 

Figure 2. GreenCollector parameters

GreenCollector copies data over the network using SMB protocol, utilizing a shared folder as shown in Figure 3 below.  

Figure 3. GreenCollector SMB traffic 

During our investigation, we discovered that Play leveraged two known command-and-control (C2) IP addresses associated with SystemBC: 108.61.142.190 and 216.128.128.163. This tactic is frequently employed by the group to maintain control over compromised systems. 

SystemBC is a versatile malware loader that has been actively used by various threat actors since its discovery in 2019. It primarily functions as a SOCKS5 proxy, enabling attackers to route their traffic through infected systems and effectively mask their activities. This loader’s functionality allows attackers to adapt their tactics based on the specific goals of their campaign. Notably, SystemBC has been linked to Play, highlighting its role in facilitating their malicious operations. 

On VirusTotal, it can be observed that tools commonly used by Play, such as NetScan, PSExec, WinRAR, and notably the FX300 RAR file, were downloaded from the IP address 108.61.142.190 as shown in Figure 4 below.  

Figure 4. Tools used by Play ransomware gang

The FX300 file contains the ransomware payload, including an ELF file for Linux and an EXE file for Windows. 

When examining the NetScan file on VirusTotal, the “Relations” tab revealed another IP address (216.128.128.163) that is linked to Play. Further research on this IP address uncovered additional tools used in our investigation, including the GreenCollector tool, identified as fs256.exe as shown in Figure 5 below.  

Figure 5. GreenCollector tool (identified as fs256.exe)

Protections 

Anomaly detection 

Cato adopts a multi-faceted approach to anomaly detection with the Cato SASE Cloud Platform by integrating heuristics that identify specific tools used in the exfiltration process. The example below, taken from a Cato XDR dashboard, demonstrates the auto-detection of an SMB anomaly. When a threat actor uses RoboCopy or GreenCollector to copy files, it triggers an SMB anomaly, which is monitored by the Cato Managed XDR service as shown in Figure 6 below.

Figure 5. GreenCollector tool (identified as fs256.exe)

Comprehensive SASE security posture 

With Cato DLP, we offer organizations a dynamic and proactive defense against a wide spectrum of ransomware and exfiltration threats, ensuring that even the most sophisticated threat actors are thwarted at every turn. 

Cato CTRL utilizes cutting-edge tools and strategies to detect, analyze, and build robust defenses against the latest exfiltration threats. Protective measures leverage advanced heuristics to block the upload of sensitive files using DLP protection. Additionally, anomaly detection can identify unusual activities, such as the upload of large amounts of data that deviate from normal patterns. 

 
Conclusion 

The evolving tactics and use of sophisticated tools by Hunters International and Play highlight the growing complexity of a modern ransomware attack. The investigations from the Cato CTRL and Cato MDR teams highlight the importance of early detection and proactive defense measures. 

 
The Cato SASE Cloud Platform offers robust protection against these threats, with features like advanced anomaly detection and dynamic DLP protection. Continuous vigilance, combined with advanced security solutions, is essential to mitigate the risks posed by these increasingly dangerous ransomware attacks. 

Resources 

• Download the Q3 2024 Cato CTRL SASE Threat Report. 

IOCs 

Play C2 IP Addresses: 

• 216[.]128[.]128[.]163 

• 108[.]61[.]142[.]190 

WorkersDev Backdoor Malvertising Domains: 

• cdn-server-1[.]xiren77418[.]workers[.]dev 

• cdn-server-2[.]wesoc40288[.]workers[.]dev 

• Angryipo[.]org 

• Angryipsca[.]com 

Hashes: 

• 1bfa1d628d45dca4e45c7e262dae1d4faed38a5346e3901f14f83d49717d0012 – GreenCollector