Gang claims extortion attack against Sony.

CyberSecurity Connect reported Monday that a ransomware gang, Ransomed.vc, has claimed to have successfully hacked into Sony, gaining access to sensitive information the company holds.

Data for sale, but only through September 28th, so act now. (Or, if you're really in that criminal market, wait a couple of days and get the goods for free.)

The gang's statement, offered in both clear and dark web dump sites, is lazily constructed gasconade. It opens with a direct but unacknowledged quotation from Wikipedia: “Sony Group Corporation, formerly Tokyo Telecommunications Engineering Corporation, and Sony Corporation, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan."

After this borrowed burst of fireworks, they go on to crow high, and their prose becomes either non-native (charitably) or subliterate (uncharitably): “We have successfully compromissed [sic] all of sony systems. We wont ransom them! we will sell the data. due to sony not wanting to pay. DATA IS FOR SALE. WE ARE SELLING IT”. The gang says that if it hasn't found a buyer by September 28th, it will simply dump the information online. This seems a poor criminal practice--maybe someone in the C2C market needs a few more days to kick the tires on the data, but that's what Ransomed.vc says.

Sony has said very little about the incident. The company did offer a terse statement to IGN, which reads in full, “We are currently investigating the situation, and we have no further comment at this time.”

A ransomware group that claims GDPR compliance.

Outsiders who've seen the proof-of-hack Ransomed.vc offer are skeptical: it seems far short of what one would expect from a compromise of the claimed magnitude, and it's also consistent with being information culled from a variety of third-party sources. CyberSecurity Connect says it consists of "screenshots of an internal log-in page, an internal PowerPoint presentation outlining test bench details, and a number of Java files."

Ransomed.vc is thought to be a new group, active only over the past month or so, although some of its members may be alumni of other gangs. It appears to operate mostly from Russia and Ukraine, and seems to be both a direct ransomware operator and a player in the ransomware-as-a-service market, where it recruits criminal affiliates.

The gang has a confused and implausible claim to white-hat status, VGC News reports, and says it operates in strict compliance with the EU's GDPR. For a ransomware operator that's manifest nonsense, but Ransomed.vc nonetheless puts on the armor of privacy: “In cases where payment is not received, we are obligated to report a Data Privacy Law violation to the GDPR agency!” We doubt they're in Europol's Rolodex. If the threat to report a GDPR violation is serious at all, it can only be construed as designed to give the gang additional leverage over its more naive marks.

It's worth noting that Ransomed.vc is an extortion gang, not a ransomware operation in the strictest sense. It hasn't yet developed an encryptor, although they told BleepingComputer that they're working on one. Their extortion depends upon data theft and the threat of doxing.

And another claimant to the attack.

BleepingComputer notes that another criminal actor, "MajorNelson" (is his nom-de-hack an homage to I Dream of Jeannie?) disputes Ransomed.vc's claims, saying that he (or she, or they) is in fact responsible. "You journalists believe the ransomware crew for lies. Far too gullible, you should be ashamed," MajorNelson posted to BreachForums. "RansomedVCs are scammers who are just trying to scam you and chase influence. Enjoy the leak."

To establish its own bona fides, MajorNelson also posted proof-of-hack files, which seem to include all the files that were in Ransom.vc's own preliminary dump. Neither of the claimants' assertions of a successful attack have been verified.

A security industry expert finds the story complicated, the reality far from obvious.

Ferhat Dikbiyik, head of research at Black Kite, is appropriately cautious in assessing Ransomed.vc's expansive claims. "Ransomed.vc’s recent announcement claiming to have infiltrated Sony's entire systems landscape and putting up data for sale has made its way through the security community this week, yet substantial evidence backing this claim seems murky at best," Dikbiyik observed. But the story is, as they say, complicated. "On the flip side, a forum post by a user, MajorNelson, appeared to provide a free leak of the alleged Sony data, shedding light on a tangled narrative that begs a closer look. Despite showcasing some data," Dikbiyik said, "critics argue the evidence doesn’t substantiate their bold claims. The crypto-chaos doesn't stop here; a forum revelation by MajorNelson challenges Ransomed.vc's assertions, labeling them as mere scammers and supplying what they claim to be the real leaked data for free."

The proof-of-hack may consist of information derived from third-party sites, Dikbiyik argued. "Upon reviewing the leaks, it's clear that the purported data may not have been siphoned directly from Sony but likely sourced from auxiliary tools like code and design development platforms. The essence of ransomware extortion hinges on the indispensable value of the data and the ability to cripple operations, both of which seem missing in this narrative as Sony’s operations remain unaffected. The diverging paths of Ransomed.vc's extortion attempt and MajorNelson’s data leak gesture, sketch a scenario where Sony-related data might have been acquired externally and used in an abortive extortion attempt."

Thus, it's complicated, and Sony's still investigating. "So far, Sony remains tight-lipped on the matter, neither confirming nor denying the supposed breach. The involvement of another entity offering the disputed data at no cost adds an intriguing twist to the saga. It’s a murky scene, with veiled actors and unfolding drama yet to be thoroughly dissected." 

(Added, 10:30 PM ET, September 26th, 2023.) Lior Yaari, CEO and co-founder of Grip Security, drew attention to the inherently complex attack surface organizations like Sony present. "Movie studios have one of the most complex cybersecurity environments to secure and face enormous challenges with their reliance on a high number of contractors and constant scaling up and down of production teams," Yaari said. "The pace at which their user base changes could contribute to a mistake that allowed the ransomware attack to take hold. Focusing on securing access to user identities could have limited the impact and there are likely great lessons to be learned as more information on the attack is made available.” And Sony, of course, is much more than a movie studio. It's a tech conglomerate with entertainment divisions.

(Added, 6:30 PM ET, September 27th, 2023.) Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, called the hack "most unusual." Sony's security teams aren't rookies or incompetents, after all. "You would think that Sony, after being involved in at least two of the world's biggest hacks, would have its cybersecurity defenses at top of the scale. And yet another group was able to potentially exploit a new attack vector and get away with confidential data. It shows that the work of the cybersecurity professional is a tough one. Not only do you have to defend against every previous attack, but every possible attack you can imagine happening in the future. And there's already a lot we can imagine."