Some ransomware actors take the straightforward approach of demanding a ransom in exchange for the return of data or restoration of access to systems that have been taken hostage. Newer and high profile ransomware actors are exerting additional pressure in an attempt to increase the likelihood of payment by threatening to leak the victim’s data if the ransom is not paid. A new term to describe this approach has come into vogue:
<sarcasm> Spin: if ransomware attackers leak the data that they stole, you get your data back for free.
This week, the Ransomware Round up carries quite a few stories about double extortion in the wild. Let’s go!
Ransomware in the News
Double extortion threat realized against City of Torrance, CA
A new leak on Dopple Leaks was one of the biggest stories in ransomware this week. In March 2020, the City of Torrance, CA experienced a ransomware attack that was promptly reported and confirmed at the time. Earlier this week, BleepingComputer reported on an update to Dopple Leaks purporting to contain files exfiltrated from Torrance during the incident. The details for the leak simply say:
Living with Urban Coyotes
This text does not provide any confirmation that the included files required unauthorized access to obtain. The gallery on the front page of www.torranceca.gov includes this slide:
After BleepingComputer went to press, the City of Torrance provided an update in a blog post titled Data Exfiltration. The post acknowledges that data circulating on the Internet “may have come from” Torrance systems as a result of the March 1, 2020 ransomware attack. The post clarifies that Torrance is working with law enforcement and a third-party forensic firm on investigation and analysis.
As of this writing, Dopple Leaks is relying on Cloudflare’s Always Online functionality:
Image: Ransomware Roundup
How Torrance Responds
In response, the City of Torrance is continuing to encourage visitors to its original site at torranceca.gov to instead visit www.cityoftorranceca.com. The city also has a Wordpress.com site that has a Press Release about the incident. The post includes a list of a few dozen
@gmail.com email addresses as temporary contact emails for representatives of the City of Torrance from City Council to Fire, Police and Public Works. The list bears a warning that emails from
@torranceca.gov should be deleted immediately, suggesting that the city’s email system was impacted by the ransomware, in addition to their website. This post also appears to be the origin of the assertion that
Public personal data has not been impacted
Read the post and see the full list of email addresses: Press Release: Torrance Experienced A Cyber Incident To City Servers
Was the ransom paid?: Unknown
Ransom Amount: 100 BTC
Entry Vector: Unknown
Ransomware Actor: DoppelPaymer
A Closer Look at Cognizant
In last week’s issue, we were just learning of a ransomware incident at Fortune 500 technology firm Cognizant Technology Solutions. Given the scale of Cognizant’s operations, this story has received quite a bit of attention over the last week. The incident has been attributed to Maze. Like DoppelPaymer, Maze threatens to publish sensitive data exfiltrated during the ransomware attack to their leak site.
As of this writing, Maze does not name Cognizant amongst their list of “clients” (read: victims).
Was the ransom paid?: Unknown
Ransom Amount: Unknown
Entry Vector: Unknown
- LockBit ransomware borrows tricks to keep up with REvil and Maze
- Alert from ICS CERT on RagnarLocker
- BleepingComputer Week in Ransomware
- Here’s a list of all the ransomware gangs who will steal and leak your data -
There are nine ransomware crews that ZDNet has identified in the last story noted above While ZDNet does not share the URLs for these sites (rightfully so), some are not too terribly difficult for you, the dear and dedicated reader, to find.
This whitepaper from the Center for Internet Security provides a good primer on Ryuk.
SEC filings have been a useful if unexpected source of information about ransomware incidents of late. While the information included tends to be limited, the presentation tends to be clear and concise. There are quite a few different types of SEC filing forms. A quick index of the different types is available directly from the SEC at https://www.sec.gov/forms.
The type of filing we have looked at most frequently is an 8-K. Per investor.gov, the 8-K is a “current report”. Companies file current reports with the SEC in order to keep shareholders appropriately informed of major events. 8-Ks are designed to prevent the selective disclosure of information relevant to investors.
For even more information about how to read 8-Ks, see this page from investor.gov.
Searching SEC Filings
The SEC filing website permits full text searches. Click here to query for
ransomware. The majority of the results for this query are Forward Looking Statements informing investors of the potential impact that a ransomware incident could have on the company’s financial performance.
Speaking of the SEC: Updates from Emcor
Emcor Group, victims of a March 2020 Ryuk attack, filed their quarterly report for the quarter including the ransomware attack. The announcement portion of the 8-K filing is directly available here. Emcor will be hosting a conference call for Q1 on Thursday, 30 April 2020. Stream at emcorgroup.com on Thursday at 10:30A (GMT-4). Grab the .ics to add the event to your calendar. [More Info]
Stay calm and perform (and test!) backups.