New victims report after massive ransomware attack

Photo of author

By Webdesk


The number of victims hit by a massive ransomware attack caused by a bug in a popular data transfer tool used by businesses around the world continues to grow as another organization tells TechCrunch it has also been hacked.

Canadian finance giant Investissement Québec confirmed to TechCrunch that “some employee personal information” was recently stolen by a ransomware group that claimed to have compromised dozens of other companies. Spokeswoman Isabelle Fontaine said the incident happened at Fortra, formerly known as HelpSystems, which develops the vulnerable GoAnywhere file transfer tool.

Hitachi Energy also confirmed this week that some of its employee data was stolen in a similar incident involving its GoAnywhere system, but said the incident happened at Fortra.

In recent days, the Russia-affiliated Clop gang has added dozens of other organizations to its dark web leak site, using it to further extort companies by threatening to publish the stolen files unless a financial ransom is paid.

TechCrunch also found dozens of organizations that were using affected GoAnywhere file transfer software at the time of the ransomware attack, suggesting more victims are likely to come.

While the number of victims of the massive hack is on the rise, the known impact is murky at best.

‘130 organizations’

Since the attack in late January or early February — the exact date is not known — Clop has disclosed less than half of the 130 organizations it claimed to have compromised through GoAnywhere, a system that can be hosted in the cloud or on the network of an organization that enables companies to transfer huge datasets and other large files in a secure manner.

It is not clear whether Fortra, which has not publicly commented on the incident, already knows which customers have been affected. When reached by email, Fortra spokespersons Mike Devine and Rachel Woodford declined to comment or provide answers to our questions, including whether Fortra’s internal GoAnywhere systems that host customer data were also affected by the massive hack.

Details only came to light on Feb. 2 after independent security reporter Brian Krebs first reported details of the bug, which Fortra had hidden behind a login screen on his website. Fortra released security fixes for GoAnywhere five days later, on February 7.

By that time, the hackers had already stolen a lot of data from numerous victims.

Healthcare giant Community Health Systems, one of the largest healthcare providers in the United States, was the first to confirm it was one of 130 alleged companies that fell victim to the hack. GoAnywhere system. Digital finance giant Hatch Bank was next to confirm a breach related to the GoAnywhere bug, and then cybersecurity giant Rubrik. The list keeps growing.

Listed companies deny data theft

It’s not clear if Clop already knows what data it stole in its digital smash-and-grab. TechCrunch reached out to some of the organizations known to use GoAnywhere that were recently added to Clop’s leak site. Several responded and said they were unaffected.

Payment software startup AvidXchange, one of Clop’s newest additions, told TechCrunch that while it uses GoAnywhere to transfer files to a specific company that prints its checks, the company doesn’t store any data on Fortra’s platform.

“Our forensic investigation further substantiates our conclusion on this matter,” said AvidXchange spokesperson Olivia Sorrells. “Fortra notified AvidXchange of the vulnerability, remediation and results of their investigation related to AvidXchange’s GoAnywhere account the week the [vulnerability] announced,” the spokesman said. “GoAnywhere took the instance of AvidXchange offline as soon as GoAnywhere became aware of the incident to further prevent unauthorized access to the platform.”

Clop’s leak site says data from AvidXchange is “coming soon.”

Department store giant Saks Fifth Avenue, which was added to the Clop leak site this week, tells TechCrunch that the hackers exploited the GoAnywhere flaw to steal phony customer data from its systems. “The fake customer data does not contain any real customer or payment card information and is used solely to simulate customer orders for testing purposes,” said Saks spokesperson Nicola Schönberg.

A number of other organizations recently added to Clop’s site declined to comment when asked if their GoAnywhere systems – most of which are hosted by Fortra – were affected.

So does Swiss pharmaceutical giant Galderma, whose spokesman Christian Marcoux declined to answer our questions; Healthcare call center provider ITx Companies, whose CEO Philip Gower declined to comment; Brightline, a children’s mental health startup whose CEO Naomi Allen deferred to spokesperson John O’Connor, who declined to comment; event planner Emerald Expositions, whose spokesperson Beth Cowperthwaite declined to comment; and MedMinder, whose spokesperson Stacy Clougherty said MedMinder is “aware of the allegations” but declined to comment further while the company investigates.

None of the companies disputed that they are customers of GoAnywhere.

Clop has released samples of data allegedly stolen from Onex seen by TechCrunch, including W-9 tax forms, pay orders and employee information including names, gender and email addresses. Onex has not returned requests for comment.

One of the organizations identified by TechCrunch as a GoAnywhere customer but not yet listed by Clop is the City of Toronto, which said it was not affected by the massive hack. “The city and Fortra have conducted an investigation and determined that there has been no exfiltration of internal or resident data,” said city spokesman Ashika Theyyil.

Other identified GoAnywhere users did not respond to multiple requests for comment, including Canadian rehabilitation and mental health services Homewood Health; UK-based affordable housing provider Guinness Partnership; retail banking Avidia Bank; Medex Healthcare; Cornerstone Home Lending and Colombian energy giant Grupo Vanti.

Lorenzo Franceschi-Bicchierai contributed.


If you know more about the Fortra bug or breach, you can safely contact Carly Page on Signal on +441536 853968 or by email. You can also contact Zack Whittaker on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com. You can also contact TechCrunch via SecureDrop.



Source link

Leave a Comment

Share via
Copy link