Showing posts from November, 2021

These arent the rclones youve been looking for...

I recently came across an interesting technique used by many different ransomware groups that is used for data exfiltration. In this current age of ransomware, it is becoming more common to see double and sometimes triple extortion, where they are exfiltrating the data out before encrypting so as to have some leverage should the company not decide to pay up. One such tool being used is called Rclone What is interesting about this tool, it's a self contained executable and doesnt have to be installed on Windows. You simply download the zip file, unzip it and you can start using it. Its strength lies in being able to communicate and upload to a large number of cloud storages via command line. A list of all the ones they currently support is found here: One of the ones I tested recently was its connection to If a company isnt blocking outbound to these cloud storages, they run the risk of easy data exfil via this tool. To set it