This week in ransomware – Friday July 1, 2022

“Denial is not a river in Egypt”

 We start this week’s summary with a famous quote from Mark Twain, and our theme is “denial.”

We know that the majority of companies have experienced some form of ransomware attack. According to a Telus survey published in 2022, “cyber-attacks are on the rise in Canada, with 98 per cent of Canadian organizations reporting a cyberattack in the last 12 months.”

Who do we trust when attackers claim to have had a successful ransomware attack, but the company denies that the attack was successful?

This week, two major companies both issued denials in the face of ransomware gangs claiming they have successfully attacked the company, and who post evidence of stolen data to prove their claim?

Walmart denies attack by Yanluowang gang

Walmart has denied being attacked with ransomware by the Yanluowang gang, although the gang claimed to have encrypted thousands of computers.

In a statement to BleepingComputer, Walmart said their “Information Security team is monitoring our systems 24/7,” and believe the claims to be inaccurate.

Walmart continues to deny the attack, but files posted, ostensibly from the Yanluowang gang, do appear to contain information that claims to be from Walmart’s internal network, including a security certificate, a list of domain users, and the output of a kerberoasting attack.

Kerberoasting is an attack used when threat actors gain access to a network and then are able to access Windows services accounts and their hashed NTLM passwords.  The attackers then use hashed passwords to brute-force the extraction of plain-text passwords.  Once they have these credentials, they can elevate their privileges on the Windows domain.

Sourced from an article in Tech News Day with additional info from  Bleeping Computer.

AMD denies ransomware attack

AMD says they are investigating a cyberattack after the RansomHouse gang claimed to have stolen 450 GB of data from the company in the past year.

RansomHouse is known as for stealing data and then demanding a ransom with the threat of publicly leaking the data or selling it to other threat actors.

While they have not named AMD, the RansomHouse gang has posted on Telegram that they would soon be selling the data of a well-known, three letter company that starts with the letter “A”.

Sourced from an article in Bleeping Computer

No good deed goes unpunished?

So why do companies deny attacks? Have these companies not been breached? Or are they reluctant to come forward, given the extreme penalties that are being levied against companies who have been successful attacked.

Podcast host Howard Solomon reported on Cyber Security Today that Carnival Cruise Line has been fined US$5 million for data breaches which featured the theft of personal information of passengers and employees. According to Carnival, the company had four cybersecurity events between 2019 and 2021, including two ransomware attacks.

Carnival is being penalized for violating state financial services regulations by not implementing multifactor authentication. Authorities claim that it failed to report the first of the four attacks and that it also failed “ to adequately train staff about cybersecurity.”

Ironically, the reason Carnival companies were able to be penalized stems from the fact that the company also sells cybersecurity insurance, and because of this, it was subject to state cybersecurity regulations. The settlement will force Carnival companies to stop selling insurance in New York State in addition to the financial penalties.

Again, according to the podcast, Carnival recently reached a US$1.2 million settlement with 46 states involving a 2019 data breach.

Sourced from the podcast Cyber Security Today