Ransomed.vc hackers claim to have breached ‘all Sony systems’ and are allegedly threatening to sell stolen data
A lesser known hacking group has claimed on the dark web that it has breached ‘all Sony systems’ and will sell the stolen data, amid media reports Sony is refusing to pay a ransom.
According to the reports, the hacking claim comes from a group called Ransomed.vc, which seems to be a ransomware operator and a ransomware-as-a-service organisation that is reportedly based in Russia and Ukraine.
Sony is no stranger to cybersecurity incidents. In November 2014 Sony Pictures was famously hit by a devastating attack by North Korean hackers, in retaliation for the film “The Interview” – a Seth Rogen comedy about a plot to kill to the leader of North Korea.
That 2014 hack was so devastating it exposed the personal details of some Hollywood movie stars, as well other highly confidential data.
Prior to that, Sony’s most serious hack had been in 2011 that saw some 77 million registered accounts compromised and online features totally inoperable. That attack on the Playstation Network took it offline for a week.
Now Ransomed.vc is alleging that it has hacked Sony systems, and will publish the stolen data over claims that Sony will not pay a ransom.
At the time of writing, there is no public statement from Sony on the claims from Ransomed.vc.
Hackers track record
The Ransomed.vc allegations of compromising Sony has been noted by some security experts.
“Until Sony provides further information, it is not clear if this breach took place, but the warnings from Ransomed.vc should never be ignored,” said Ryan McConechy, CTO of managed cyber security service provider Barrier Networks.
“Ransomed.vc may be less known than major ransomware gangs like Cl0p or BlackCat, but when looking at the group’s history, they are responsible for a string of devastating attacks on financial organisations, data providers and managed IT companies,” said McConechy.
“Furthermore, making false announcements on victims is something ransomware gangs avoid as it damages their reputations and profitability opportunities, so there is a strong possibility the claims are genuine, which means they must be investigated thoroughly,” said McConechy.
“If the incident has taken place, it once again highlights the powerless position organisations are placed in when infected by ransomware,” said McConechy. “Regardless of whether the organisation’s data is encrypted and held hostage, or stolen and put up for sale, it’s the attackers that have the power.”
“This means organisations must prioritise defences before attacks occur,” said McConechy. “This means training employees on the techniques criminals use to access systems, keeping all systems up to date with the latest patches, running a regular back up system, layering security and implementing network segmentation to prevent ransomware from spreading.”
“Furthermore, it is also advised that organisations take the average ransomware sum likely to be demanded from them in the event of a compromise – then use that figure as their budget for investing in adequate defensive tooling,” McConechy concluded.
Meanwhile Mike Newman, CEO of identity and access management specialist My1Login, noted that this is a worrying claim that must be investigated as a priority, because in most cases when attackers claim to have breached an organisation, they are being truthful.
“Furthermore, as we have seen over the last few weeks, carrying out ransomware attacks on large and seemingly secure organisations is fairly easily for a determined attacker to execute, especially via social engineering or by exploiting an unpatched vulnerability,” said Newman.
“If the claims are accurate, it is essential Sony takes remediation action immediately,” said Newman. “This includes running forensics to understand what data has been stolen and then working to reduce its value by updating systems. Additionally, Sony must also inform impacted parties so they can be on guard for phishing scams and be alert for further attacks.”
“The incident will also act as a reminder to educate employees on the serious risk posed by cybercrime today and the need for them to be vigilant for attacks,” said Newman.
“This means being on guard for phishing and social engineering scams, and also improving corporate defences by removing credentials from the hands of employees,” Newman added.
“With phishing and social engineering, the key focus for attackers is to steal valid user credentials so they can achieve deeper corporate network access, but if these are removed from employee hands, they can’t be tricked into handing them over to criminals,” Newman concluded. “This can be achieved by adopting modern Single Sign-On and Enterprise Password Manager tools which securely remove the need for employees to memorise or manage passwords.”