Ransomware Attack Exfiltrates Employee Data Going Back 24 Years

Ransomware Attack Exfiltrates Employee Data Going Back 24 Years

DESCRIPTION

Portland dining and hotel chain McMenamins announced on December 15th, 2021, that they had been a victim of a ransomware attack. They believe that their systems were first compromised on December 7th, giving the attackers access to their systems for five days until the threat was discovered. Like many ransomware attacks over the previous two years, the threat actors managed to exfiltrate the targeted data before encrypting it. In this case the data was comprised of employee information going back as far as 1998. Data included employee names, Social Security numbers, addresses, phone numbers, email addresses, birth dates, income information and performance evaluations. It is not known if any direct deposit information or bank records were compromised or not. There is no evidence that customer information was compromised during the attack. The company currently employees some 2,700 people but the total number of records involved in the attack is estimated at 30,000. The Conti Ransomware Group is behind the attack and the company states that they did not pay any sort of ransom yet. Conti has been credited with more than 400 attacks involving both US and international organizations.

IDENTIFY INDICATORS OF COMPROMISE (IOC)

The company was made aware of the attack by a ransomware note that appeared on December 12th shortly after the actual encryption process was implemented. It was then confirmed that multiple workstations, servers, and point-of-sale systems had been encrypted. The Conti Ransomware Group is known to perform their attacks during off-hours and use the double extortion technique of exfiltrating data to publish it on its Conti News website or sell the data on the dark web in the event of non-payment by the victim. Conti uses a Ransomware-as-a-Service (RaaS) model that employs affiliates and trains them in their deployment techniques. Payments are funneled through Conti, who claims to retain 30% of the proceeds.

CONTAINMENT

McMenamins’ IT department immediately shut down its systems, disrupting its credit card payment and reservation systems. Internal phone systems were also out of operation, but all its locations remained opened to foot traffic. As it was the middle of the holiday shopping season, customers were not permitted to purchase or redeem gift cards. The company immediately posted an FAQ page to their website to apologize for the inconvenience and report on the steps being currently taken. The company has notified all people employed with them going back to 2010. Unfortunately, the company says it no longer has contact information for employees employed between 1998 and 2010. Anyone working for McMenamins during that time is encouraged to go to their web page. According to the page, the company is actively working with the FBI to identify the source and full scope of the attack. Anyone whose information was involved in the attack will receive free credit monitoring.

PREVENTION

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory about the Conti Ransomware group. The group uses multiple infiltration methods to gain access to their victims. Phishing attacks that utilize malicious attachments are the most popular. These attachments contain embedded scripts that are used to download malware such as TrickBot. The group also promotes fake software on search engines that lure users into downloading malicious files. They also target remote access systems with stolen or weak Remote Desktop Protocol (RDP) credentials. Conti has even used the telephone to implement social engineering techniques. According to the advisory, companies should take the following steps to protect against Conti induced ransomware attacks.

  • Keep all operating systems and applications fully patched in a timely manner.
  • Reduce your attack surfaces by removing any applications or software components that are no longer used.
  • Require that all remote users use multi-factor authentication (MFA) when connecting to enterprise assets.
  • Use a modern email security solution to combat suspicious email attachments and eliminate phishing emails

The published advisory also includes the known exploits commonly targeted by Conti as well as IP addresses that they have used for communication purposes.

If you would like to speak with HALOCK concerning this zero-day vulnerability, need assistance with analysis, or would like to further protect you web applications, please reach out to your HALOCK account manager or chat with us online at HALOCK.COM to schedule a call with one of our security experts.

Schedule a consult.

Contact Us