Ransomware's attempt at British Columbia realtor raises question of supply chain attack

Ransomware's attempt at British Columbia realtor raises question of supply chain attack

A real estate agency in British Columbia is investigating the ransomware attack that the owner says was caught before causing serious damage. But the incident raises the question of whether the attack came through a transition to a third-party application.

Jerry Redman, owner and managing director of Remax Kelowna, which has offices in the city of 132,000, said in an interview Friday afternoon that, fortunately, the attack occurred at the same time that IT staff were overseeing a software update. Ransomware was not launched, although some files were copied.

"We were on it within minutes of knowing this, and that's why [the attackers] didn't have much," he said.

Although a forensic investigation is still ongoing, so far Redman believes that only the data attackers were able to copy what they called "non-personal company data". This includes "graphic design stuff that the company does for people."

On Wednesday, the Conti Ransomware Group website listed Remax Kelowna as one of its victims and included the names of 15 files that were allegedly copied as evidence of the attack.

Redman said he did not know after the incident that the file was clearly copied until a reporter called him on Thursday.

"We were shutting down the attack so fast that we didn't believe they had found anything. We didn't get any ransomware requests from [the attackers], our system never shut down from them, but they obviously had little data. met.

"They never got the ransomware launched on our servers ... but they got a small data set. Luckily, this is not a server that hosts a ton of stuff outside our company's luggage. All our other items are on separate servers with different companies that now operate our software. We moved it about a year and a half ago. "

Where it came from?

Asked if he knew how the attack was launched, Redman did not have answers. "Not a clue." The only thing we can think of at this point is that we were doing a software upgrade from a major company and it started happening about the exact time. "

Redman said he was not sure if the upgrade was infected, he said. "I don't want to speculate, but it literally means what we were doing when it happened, and so we were able to shut it down so quickly because my IT people were here."

He said the company was lucky.

"Because I know someone who was killed about a year ago and it cost $ 4 million," he said, referring to a business from a different industry, not in Kelowna.

Redman noted that he suspected that his firm was targeted.

Ransomware attacks through third-party software or supply chains are rare. Typically, attacks are initially launched through phishing and spear phishing, also known as remote access software vulnerabilities, infected pirated software, drives by downloads of infected websites, and the use of infected removable media.

In an email, threat researcher Brett Callow for security firm Amsisoft said supply chain attacks could enable attackers to gain an early foothold. "But, I've never heard of ransomware being used to rapidly eject data before deploying it," he wrote.