Logistics firm breached. Conti operators establish a data dump site. DarkSide and the future of ransomware.

Summary

By the CyberWire staff

At a glance.

TFI International unit's data being leaked by DoppelPaymer operators.
Conti ransomware has a data leak site.
DarkSide as the future of organized cybercrime.

Extortionists threaten to release customer data stolen from logistics firm.

According to ASI, Montréal-based TFI International, a major transportation and logistics company, has disclosed that its four Canadian courier divisions—Canpar Express, ICS Courier, Loomis Express and TForce Integrated Solutions—were hit by DoppelPaymer ransomware on August 19th. Some of the subsidiaries have said they'd contained the incident and had seen no evidence of data compromise, but the DoppelPaymer operators said that they had names and financial information belonging to Canpar Express customers. They were preparing, they said, to leak these online. Freight Waves reports that indeed some internal Canpar data have been leaked on a dark web site.

Conti ransomware's data leak site.

BleepingComputer reports that the operators of Conti ransomware (regarded as the successor to the well-known and damaging Ryuk strain) have established an online dump site where they can post information stolen in their attacks. The site currently has twenty-six victims.

Moreno Carullo, CTO and Co-Founder of Nozomi Networks, offered some comments on Conti's dump site:

“A data leak web site is a relatively recent phenomenon that’s gaining traction as a coercion strategy in the ransomware operator’s playbook. Once a large percentage of the breached organizations started to have proper backups in place, ransomware organizations needed a new way to force the victims into paying the actual ransom. Data leak websites were the answer to that need.

"An efficient ransomware organization operates in pipeline, with specific people in charge of the actual network compromise and ransomware deployment, while others may deal with the monetization operations. As a target, you not only need to understand how the attackers made their way towards your company assets, now you also have to handle the threat of your stolen private company data being exposed.

"From the point of view of the attackers, the best way to leverage a data leak website is probably just to use it as a further leverage against new victims. It’s unlikely that every company breached will get a spot on such websites, since this will likely attract too much attention from the media and law enforcement, but the threat can be used effectively during ransom negotiations."

The criminal market adapts and evolves. Carullo added some thoughts on what can be expected from the gangs when their profits drop: "As we’ve said many times in the past, a ransomware organization’s core business consists of extracting the maximum monetary gain from their victims. As soon as they see a drop in the conversion rate, they’ll explore new strategies to keep the business running.”

DarkSide ransomware as an exemplar of professional crime's future.

WIRED looked at the DarkSide ransomware and its operators, whom it sees as "corporate" and "cruel," a distillation of underworld trends toward careful target selection, careful calibration of demands to offer a painful but tempting option to pay, and with ruthless reprisal against victims who refuse them. The consequences of refusal involve unambiguous use of stolen data, much of which is personally identifiable information.

Greater ruthlessness is accompanied, paradoxically or not, by good victim service. “The groups are increasingly becoming ruthlessly efficient,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “They have more of a chance of success the easier they make life for their victims—or the easier they make it to pay them.” DarkSide represents the latest and slickest manifestation of this trend, but it's not the first. REvil emulated customer service best practices (responsive chats, etc.) and Maze built a reliable affiliate network, a kind of Amway for ransomware. DarkSide doesn't appear so far to moved toward an affiliate model, but it's set a standard for clear-eyed market research.

Selected Reading

Understanding Carnival's ransomware attack, hitting two different data types (CIO Dive) Last week the cruise line disclosed a ransomware attack that impacted employee and customer data. The security divisions can get murky.

Canadian Courier Companies Suffer Ransomware Attack (ASI) Hackers are now threatening to release customers’ information on the dark web.

'Dirty, rotten, lowdown scoundrels' responsible for cyber attack, superintendent says (WLOS) Haywood County Schools will be closed for the rest of the week due to a cyber attack. They've already been closed since Monday when the ransomware attack hit. Caption: WLOS. The school system is having to bring in experts to rebuild their network. The investigation into the cyber attack on the district's computers involves local authorities, all the way up to the federal level including the National Guard. “The Guard is very proficient in cyber security,” says Superintendent Dr. Bill Nolte.

College group hit by cyber attack (BBC News) Luminate Education Group said the attack had caused "operational disruption" to its IT infrastructure.

Lombard Insurance engages SA authorities after data breach (ITWeb) While the insurer is working with the Information Regulator, it has yet to disclose what information was accessed by the hackers or the number of people affected.

Victims of CRA hackers vulnerable to other cyberattacks, experts say (Peterborough Examiner) The warning comes after the federal government admitted that hackers accessed the Canada Revenue Agency or GCKey accounts of an estimated 11,200 Canad...

Why Attys Shouldn't Dawdle On Preparing For A Data Breach (Law360) Law firms and legal departments often think they're immune to a data breach, and when it happens to them, many teams are forced to rush to implement a plan, a Wilson Allen consultant said Wednesday during a virtual legal technology conference, urging attorneys to think ahead.

In This New Normal, Every "Work From Home" Computer is a Potential Entry Point For Hackers. Here is What Small Businesses Can Do (Yahoo) As businesses begin to re-open and the workplace weighs the shift from brick and mortar to work from home offices, companies are faced with how to navigate these challenging times. To quickly enable work from home policies organizations have sometimes allowed their security policies to be more flexible

Ransomware Has Gone Corporate—and Gotten More Cruel (Wired) The DarkSide operators are just the latest group to adopt a veneer of professionalism—while at the same time escalating the consequences of their attacks.

Ransomware attacks have doubled year-on-year in April-July, says cybersecurity firm Seqrite (ETCIO.com) The Seqrite Quarterly Threat Report said there was a visible shift in the behaviour of threat actors, with multiple ransomware families now capable of..

Code-execution bug in Pulse Secure VPN threatens patch laggards everywhere (Ars Technica) If you haven't updated Pulse Secure VPN, now would be an excellent time to do so.

LinkedIn Job Seeker Phishing Campaign Spreads Agent Tesla (Zscaler) Zscaler research team observed, bad actors are using a spoofed LinkedIn site to lure job seekers, steal credentials, and launch the Agent Tesla malware.

'Black holes': India's coronavirus apps raise privacy fears (Reuters) Harinder Kaur was not surprised when people slammed their doors in her face as she walked into neighbourhoods in the northern state of Punjab armed with a smartphone and a long list of health and travel-related questions.