Iranian hacking group Agrius pretends to encrypt files for a ransom, destroys them instead
The Agrius hacking group allegedly deletes the data it pretends to hold for ransom in the final stage of their attack. This method represents a shift from the group’s previous tactic, which consisted of utilizing a purely destructive wiper malware. SentinelOne researchers released an analysis earlier today detailing the threat group’s latest developments. The group was first discovered in attacks against Israeli targets in 2020. Researchers suspect that the organization is state-sponsored and not motivated by financial gain. The use of ransomware appears to be centered on cyberespionage and destruction, according to researchers.
SentinelOne stated that it traced some attacks launched by Agrius in which only a wiper was deployed, finding that the group pretended to steal and encrypt information to extract payment from victims, however, the information had already been destroyed. Therefore the group intentionally masks their malware activity as a ransomware attack. Agrius typically uses a virtual private network to attempt exploits, often through previously compromised accounts or software vulnerabilities, according to the researchers. Agrius also occasionally deploys Deadwood, a destructive wiper malware strain linked to attacks against Saudi Arabia in 2019.