Ransomware is supposed to be about money, and only money. This view is backed by plenty of evidence. Almost without exception, ransomware attacks are commercial events rather than ones motivated by ideological or hacktivist aims.
Despite this, every now and again exceptions pop up that counter this idea in ways that send ransomware analysts back to the drawing board.
An unsettling example is MuddyWater (aka Mercury or Static Kitten), a group associated with attacks across the world since 2017. Many of these look a lot like ransomware.
On the face of it, it’s not hard to see why. The typical MO involves phishing emails and attachments which launch ransomware malware such as the Venezuelan-created Thanos. Victims usually receive ransom notes as part of an incident.
However, an unusual feature of these attacks has been their destructiveness, targeting and damaging a wide range of data and network assets. This made some people suspicious about what is really going on, not least because MuddyWater appears to be connected to the Iranian state.
According to a new alert from Microsoft, the group has recently started attacking cloud resources in partnership with a second Iranian group (possibly a separate government department) given the temporary Microsoft identifier DEV-1084.
Most incidents don’t end well. The victim receives a ransom note before destruction is wreaked on their networks anyway. As Microsoft explains:
“DEV-1084 was then later observed leveraging highly privileged compromised credentials to perform en masse destruction of resources, including server farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients.”
It’s not unheard of for ransomware attacks to threaten damage, but the scale on which the tactic is used by MuddyWater suggests that this is probably the primary objective. Similar attacks like this have been documented recently in Israel and elsewhere and their number seems to be rising.
Cover Story
But if MuddyWater’s goal is to damage rather than extort victims, why use ransomware as a cover story?
Two explanations suggest themselves. The first is that the attackers want to confuse the defenders as to their true destructive motivation. That is, if the defenders realized that the attackers were part of a nation state campaign, they might either react more promptly or call for help from the police or government. Casting the attack as ransomware buys more time.
A second possibility is that it obscures attribution in ways that make it harder to track the extent of the group’s activities.
It could be argued that this type of attack shouldn’t be classified as ransomware at all. More accurately, these are nation-state attacks disguised as ransomware, a different category of threat.
The counter argument is that anything calling itself ransomware is in some way exploiting how people react to such attacks. Either way, it’s clear that MuddyWater’s use of ransomware underlines how this threat type has become the framing for many cyberattacks–including those that are not really true extortion attacks.