Canadian retailer collides with home hardware ransomware

One of the nation's largest privately held dealer-owned hardware retailers has admitted it was hit by ransomware, with which the threat group promised to start releasing the copied data today, April 2 Was.

With more than 1,050 stores under the Home Hardware Stores Limited, Home Hardware, Home Building Center and Home Furniture banners, ITWorldCanada.com admitted that an attack occurred in February.

"The unauthorized third-party was able to access parts of our corporate data," Jessica Kueffer, the company's communications director, said in an e-mail on Friday.

“We immediately engaged our cyber security firm and quickly implemented countermeasures to isolate and prevent the attack. We have maintained complete business continuity. "

Each of the shops is independently owned and operated. Based on our investigation, it appears that the attack did not affect the dealer retail system or any consumer transaction or payment data. "

In press time, Kupffer did not respond to questions about how much money Darkside had asked for and whether the company had talked to the attackers.

The attack on Ontario-based home hardware came after the Darkside Ransomware Group posted what it posted from the company promising to release copied corporate data and data publicly if it did not pay for the decryption key. go.

A screenshot of the information on the group's website states:

“We have downloaded a lot of your personal data. You can see the examples below. If you need proofs then we are ready to provide you with it. The data is preloaded and if you do not contact us it will be automatically published in our blog. After publication your data can be downloaded by anyone. It is stored on our torso for CDN and will be available for at least six months. "

Screenshots of some documents seen by ITWorldCanada.com marked "Strictly Private and Confidential" in a December 2020 financial report and a November 2020 letter announcing the acquisition three months later.

The DarkSide website also includes countdown watches to automatically release copied documents for today, Saturday and Sunday.

Companies dealing with data exfoliation situations have no good choice, commented British Columbia-based threat researcher Brett Callow for Amsisoft.

"They are disbanded, and their data is in the hands of cybercriminals. If they refuse to pay the criminals, their data will be released online. If they pay, all they need is a bad faith actor. There is a pinky-promise that the stolen data will be deleted - and of course, there is enough evidence that it does not. Why would a criminal enterprise delete data that it might be able to use or further demonetize is?

"Unfortunately, data acceleration is proving to be a strategy, which works with many organizations, who were able to recover their systems using backups, who still need to pay to stop the data being released." Are demanding. As ransomware groups began to infiltrate the data in late 2019, around 1,500 organizations stole their data and posted it online, while many others paid to prevent it from being published. "

According to a recent analysis by security vendor Varonis, Darkside is a ransomware-as-a-service group that started in August. Like other Ross services, anyone who helps spread their malware gets 10 to 25 percent of the payout.

He has been known for his "professional operations and large ransom" since starting the report.

"They provide web chat support to victims, build complex data leak storage systems with redundancy, and financially analyze victims before they attack," it reads. "Our reverse engineering reported that Darkside's malware devices would check language settings to ensure that they do not attack Russia-based organizations. They have also answered questions in Russian-language Q&A forums and actively Recruiting Russian-speaking partners. "

Darkside often uses compromised third-party contractor accounts to access Virtual Desktop Infrastructure (VDI), which was put in place to facilitate remote access during the epidemic. It has also exploited servers and then quickly deploys an additional remote access backdoor that will preserve access should vulnerable servers be patched.

Reportedly, "none of these are vectors, but they should serve as a warning that sophisticated threat actors easily circumvent the perimeter's security." "They all describe the need for multi-factor authentication for fast patching of Internet-facing accounts and Internet-facing systems."

In January, Bitdefender released a decryptor for the version of the DarkSide encryption algorithm used at the time.