A ransomware strain from the Zeppelin group can steal data and then encrypt it. Many forms of ransomware, only encrypt data, but do not steal it first.

Examples include REvil, Maze, and Snatch, which steal the encrypted data first. Zeppelin can also do this now. Cybersecurity firm Morphisec made the discovery when it provided incident response services to a real estate company.

“In this case, we have a threat actor using similar techniques like in the Wipro incident — targeting servers, stopping all database processes, copying the backup, and then deploying the ransomware, using all this with a legit IT remote tool,” Michael Gorelik, Morphisec CTO, said.

Links were found to a server where the stolen data was stored. According to Morphisec, this indicates significant data leaks for some companies. The company contacted the authorities about the discovery.

Data theft before the encryption

Morphisec’s report on the discovery can be found on the company’s blog. According to ZDNet, the report and findings are consistent with last week’s report by Blackberry Cylance, which documented the Zeppelin ransomware, but not the data theft.

This is because it takes place before the execution of the ransomware binary that encrypts the data. The tactic is called “big game hunting ransomware”. This term refers to ransomware groups that no longer focus on consumers, but now go after big companies.

The groups break into a company’s infrastructure, try to access as many computers as possible over the network, and then run their ransomware to encrypt data and demand huge amounts of ransom money.