At a glance.
- TFI International unit's data being leaked by DoppelPaymer operators.
- Conti ransomware has a data leak site.
- DarkSide as the future of organized cybercrime.
Extortionists threaten to release customer data stolen from logistics firm.
According to ASI, Montréal-based TFI International, a major transportation and logistics company, has disclosed that its four Canadian courier divisions—Canpar Express, ICS Courier, Loomis Express and TForce Integrated Solutions—were hit by DoppelPaymer ransomware on August 19th. Some of the subsidiaries have said they'd contained the incident and had seen no evidence of data compromise, but the DoppelPaymer operators said that they had names and financial information belonging to Canpar Express customers. They were preparing, they said, to leak these online. Freight Waves reports that indeed some internal Canpar data have been leaked on a dark web site.
Conti ransomware's data leak site.
BleepingComputer reports that the operators of Conti ransomware (regarded as the successor to the well-known and damaging Ryuk strain) have established an online dump site where they can post information stolen in their attacks. The site currently has twenty-six victims.
Moreno Carullo, CTO and Co-Founder of Nozomi Networks, offered some comments on Conti's dump site:
“A data leak web site is a relatively recent phenomenon that’s gaining traction as a coercion strategy in the ransomware operator’s playbook. Once a large percentage of the breached organizations started to have proper backups in place, ransomware organizations needed a new way to force the victims into paying the actual ransom. Data leak websites were the answer to that need.
"An efficient ransomware organization operates in pipeline, with specific people in charge of the actual network compromise and ransomware deployment, while others may deal with the monetization operations. As a target, you not only need to understand how the attackers made their way towards your company assets, now you also have to handle the threat of your stolen private company data being exposed.
"From the point of view of the attackers, the best way to leverage a data leak website is probably just to use it as a further leverage against new victims. It’s unlikely that every company breached will get a spot on such websites, since this will likely attract too much attention from the media and law enforcement, but the threat can be used effectively during ransom negotiations."
The criminal market adapts and evolves. Carullo added some thoughts on what can be expected from the gangs when their profits drop: "As we’ve said many times in the past, a ransomware organization’s core business consists of extracting the maximum monetary gain from their victims. As soon as they see a drop in the conversion rate, they’ll explore new strategies to keep the business running.”
DarkSide ransomware as an exemplar of professional crime's future.
WIRED looked at the DarkSide ransomware and its operators, whom it sees as "corporate" and "cruel," a distillation of underworld trends toward careful target selection, careful calibration of demands to offer a painful but tempting option to pay, and with ruthless reprisal against victims who refuse them. The consequences of refusal involve unambiguous use of stolen data, much of which is personally identifiable information.
Greater ruthlessness is accompanied, paradoxically or not, by good victim service. “The groups are increasingly becoming ruthlessly efficient,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “They have more of a chance of success the easier they make life for their victims—or the easier they make it to pay them.” DarkSide represents the latest and slickest manifestation of this trend, but it's not the first. REvil emulated customer service best practices (responsive chats, etc.) and Maze built a reliable affiliate network, a kind of Amway for ransomware. DarkSide doesn't appear so far to moved toward an affiliate model, but it's set a standard for clear-eyed market research.