June 2-8, 2022 | Issue 11 - Counterintelligence/Cyber (CICYBER)
Keanna Grelicha, Marina Tovar, CICYBER Team
Carlos Hochberger, Editor; Jennifer Loy, Chief of Staff
Ransom note[1]
Date: June 2, 2022
Location: France
Parties involved: Industrial Spy; SATT Sud-Est; customers
The event: Industrial Spy, a data extortion group, has recently used ransomware in its operations to extort a French company named SATT Sud-Est. When the victim did not pay the ransom on time, the group publicly displayed the ransom notes on the company’s websites detailing the amount of data stolen and an email address. This tactic is new as the ransom details are exposed when ransomware negotiation processes, and its details are typically secret.[2]
Analysis & Implications:
Industrial Spy will very likely use the customer’s data stored in the SATT Sud-Est system like bank credentials from the ransomware attack to impersonate them and move the victims’ savings to their accounts to expand their profit. If the impersonation were not effective, Industrial Spy would very likely threaten the victims to sell their data on the Dark Web to obtain a ransom from them. The two-fold strategy almost certainly enables them to profit from the attack by threatening the targeted enterprise with a ransom and the users associated with it by impersonating or threatening them for a ransom.
Industrial Spy has very likely used this new method to put additional pressure on the company to force them to pay the ransom as the publicity of the ransom note could very likely affect their reputation. Customers who see the ransom note could very likely feel distrust and stop using the victims’ services, very likely decreasing their revenues. The threat of decreased profits will very likely pressure the victim to pay the ransom, making the group’s new tactic very effective. The tactics’ effectiveness could very likely lead other ransomware groups to replicate this operation to increase their possibilities of acquiring a ransom.
Date: June 4, 2022
Location: Miami, Florida, USA
Parties involved: Yuga Labs; Otherside Metaverse; Ethereum; community manager; unknown hacker(s)
The event: Unknown hackers conducted a phishing attack on a community manager’s (CM) account of Yuga Labs, a blockchain[3] technology company. Yuga Lab’s Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) digital art collections and Otherside Discord server[4] compromised from the scam led to the theft of $257,000 in Ethereum[5] and 32 Non-Fungible Tokens (NFTs).[6] The phishing email from the threat actors presented a limited giveaway for individuals who have BAYC, MAYC, or Otherside NFTs that would provide them with another free NFT held in a linked digital wallet.[7]
Analysis & Implications:
The hackers very likely bypassed the login phase of the CM’s account from a lack of security measures like two-factor authentication (2FA), very likely allowing them to harvest the NFTs and Ethereum without detection. Undetected harvest of NFTs will likely affect the security control of the tokens that could likely lead to the replication of the digital art, likely making the collections less valuable for the buyer and the platform. The threat of replication from lack of security will likely force the platforms to centralize the records collected to trace the movement of the NFTs if stolen. Centralizing the records will likely lead to fewer scams and illicit services operating in the digital wallets as the transactions will likely be more traceable within the blockchains.
The hackers could likely conduct a ransomware operation from the data gathered from the compromised servers, including other NFT collections. Hackers will likely threaten the victims with encryption of their NTFs to obtain a ransom as the victim will very likely pay to prevent encryption of their NFTs. If the victims cannot pay the ransom, the hackers will very likely resale or replicate the NFTs to make a profit from the digital collections. Other hackers viewing these ransomware operations as successful will very likely lead to an increase in cyberattacks targeting NFT holders and platforms that hold digital assets to threaten with encryption to obtain a ransom.
Yuga Lab's user scams will very likely affect confidence in the platform regarding its ability to prevent phishing scams, which will very likely cause users to migrate to other platforms to store their NFTs. A migration of the users with the cost of a ransomware operation could very likely decrease Yuga Labs’ digital assets significantly if they cannot restore the compromised servers and the affected users’ trust before further attacks. The threat of a decrease in digital asset revenue and users will very likely result in increased security measures like updated firewall protection and the implementation of 2FA for all users within Yuga Lab.
________________________________________________________________________ The Counterterrorism Group (CTG)
[1] “Bildschirmfoto von Goldeneye Ransomware. Personal decryption code entfernt. Darknet URL teilweise entfernt” by BlueBreezeWiki licensed under Creative Commons Attribution-Share Alike 3.0 Unported
[2] Ransomware gang now hacks corporate websites to show ransom notes, Bleeping Computer, June 2022, https://www.bleepingcomputer.com/news/security/ransomware-gang-now-hacks-corporate-websites-to-show-ransom-notes/
[3] “Blockchain is a database where bitcoin transaction data is stored and establishes security between the transactions with a third party.” Blockchain Explained, Investopedia, March 2022, https://www.investopedia.com/terms/b/blockchain.asp
[4] “Otherside is a metaverse that appears as a gaming platform for individuals who have plots of land in this digital space.” What Is Otherside: Everything To Know About the Bored Ape Metaverse, Bybit, April 2022, https://learn.bybit.com/metaverse/what-is-otherside-bored-ape-metaverse/
[5] “Ethereum blockchain is a decentralized platform that allows individuals to perform cryptocurrency transactions through secure means.” What is Ethereum?, Amazon Web Services, 2022, https://aws.amazon.com/blockchain/what-is-ethereum/
[6] “NFTs are non-replaceable trading cards that could be digital art in the cryptocurrency space where transactions are held on blockchains.” NFTs, explained, The Verge, August 2021, https://www.theverge.com/22310188/nft-explainer-what-is-blockchain-crypto-art-faq
[7] Bored Ape Yacht Club, Otherside NFTs stolen in Discord server hack, Bleeping Computer, June 2022, https://www.bleepingcomputer.com/news/security/bored-ape-yacht-club-otherside-nfts-stolen-in-discord-server-hack/