SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Stolen data of company that refused REvil ransom payment now on sale

By Lisa Vaas, Sophos

March 23, 2020

Operators of the Sodinokibi (aka Sodin or REvil) Ransomware as a Service (RaaS) recently published over 12GB of data that allegedly belongs to one of its victims Ė Brooks International Ė that refused to pay ransom.

As if that werenít bad enough, cyber-intelligence firm Cyble told BleepingComputer that itís seen the data up for sale on hacking forums.

RaaS is the malware for lazy crooks who just want to launch attacks at the press of a button: it enables novice cybercriminals to build automated campaigns using third-party kits sold on the dark web. They donít have to break a sweat by learning about malware, teaching themselves how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, or otherwise getting their hands dirty with technical details.

Sodinokibi Ė a GandCrab derivative blamed for numerous attacks that took place last year Ė is a prime example of RaaS.

BleepingComputer shared a screengrab of one such hacker forum post that showed a member advertising a link to the stolen data for 8 credits: thatís worth about Ä2 (USD $2.15, £1.72).

Brooks International is a global professional services firm that says itís got clients in all industries and sectors. The data dump, if it proves legitimate, will prove highly valuable to cybercrooks, as it contains usernames and passwords, credit card statements, alleged tax information, and far more, according to BleepingComputer.

Does this data belong to employees or clients? One assumes clients, given that it allegedly contains credit card statements, but thatís just an assumption. Given that it also purportedly contains W-2 forms, it could well be a combination of employee and client data, all rolled into one very valuable database. At any rate, whoever the data belongs to should be worried, given that 1) purported purchasers are cackling with glee, and 2) Brooks hadnít returned media inquiries as of Friday.

BleepingComputer quoted a number of comments left by purchasers on the forums:

It even has credit card number & a password. lol !!

To bad these W2 forms werenít Donald Trumpís taxes. lol !!

Thank you for being the hero we may not deserve, but need.

BleepingComputer tried to get in touch with Brooks to give the firm a heads-up about their data being sold. Lawrence Abrams, writing for the media outlet, said that even though editorial staff spoke with somebody, nobody returned BleepingComputerís call with responses to questions. I left a message on Friday night but hadnít heard back by the time this story published.

In lieu of official guidance from Brooks for clients or employees (at least, we havenít heard of any such notification), those connected to Brooks might want to play it safe by checking their credit report and credit card statements, and consider putting a security freeze on their credit account.

As for organizations that want to stay out of the clutches of ransomware RaaSers, please do read on for our advice:

How to protect yourself from ransomware

  • Pick strong passwords. And donít re-use passwords, ever.
  • Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers canít find them.
  • Patch early, patch often. REvil isnít the only ransomware that pried open unpatched systems Ė Pulse Secure VPNs, to be precise Ė to break into company networks. Ransomware like WannaCry and NotPetya likewise relied on unpatched vulnerabilities to spread around the globe.
  • Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off Remote Desktop Protocol (RDP) if you donít need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.

For more advice, please check out our END OF RANSOMWARE page.

Terms of Use | Copyright © 2002 - 2020 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement