Indian Fashion Retailer Data Leaked on Darknet MarketplaceRansomware Negotiations Failed, Says Ransomware Gang ShinyHunters
Ransomware group ShinyHunters has stolen 700 GB of data belonging to customers and employees of Indian fashion and retail firm Aditya Birla Fashion and Retail, ABFRL, Troy Hunt, founder of Have I Been Pwned, tells Information Security Media Group.
Hunt has "confirmed and verified" the breach to ISMG, adding that the leaked data was sourced from an external contact.
Independent cybersecurity researcher Hunt's platform allows users to check whether their personally identifiable information has been compromised by data breaches.
Compromised data on the customer front includes 5.4 million unique email addresses, names, phone numbers, street addresses, order histories and passwords stored as Machine Digest-5 - or MD5 - hashes, Hunt says in a HaveIBeenPwned post. The salary grade, marital status and religion of ABFRL's employees have also been exposed, he says.
The ransomware group tells ISMG that it will not sell customer credit and debit card data in its possession.
The retailer has not released a statement acknowledging the incident, but a source at the company tells ISMG that its security information and event management logs have not detected brute force attacks or other intrusion attempts.
Compromised PII data can be used by bad actors for spear-phishing attacks. And while the passwords were stored as MD5 hash functions, these are no longer "unbreakable."
The MD5 hash function uses a 128-bit encryption to store data. Although the Payment Card Industry Data Security Standard recommends that payment companies store card details in the comparatively stronger SHA256 encryption, the MD5 hash function is still one of the most commonly used encryption formats.
The problem, as machine identity protection firm Venafi says, is that MD5 is considered "weak and insecure" and is prone to hash collision vulnerabilities.
Fraud detection specialist SpyCloud estimates that an MD5-salted, medium-complexity password can be broken in less than 18 minutes.
Ransomware Negotiations Gone Wrong?
ShinyHunters, which has hosted the compromised database on dark web marketplace RaidForums, says in a post on the same forum that its negotiations with ABFRL "failed" as the negotiator from the retailer's end "kept stalling."
The threat group shared screenshots of its alleged email conversation with ABFRL's appointed negotiator, which shows that the ransomware negotiations started on Dec. 4, 2021.
Although the ransom amount demanded by ShinyHunters has not been disclosed, the group, in its note on RaidForums, says that "the offer was more than reasonable for a $45 billion conglomerate."
ABFRL, a part of Fortune 500 company Aditya Birla Group, runs more than 3,212 stores across 36 countries in North and South America, Africa and Asia, with a customer base of 36.7 million.
A report by media site DataBreaches.net says that although the retailer detected and stopped the attack "early," the threat actors continued to have access to the data.
While ABFRL has not disclosed a successful ransomware attack so far, a 2018 Economic Times news report said that more than 2,000 computers in the company were targeted by hackers for cryptomining.
A spokesperson from the company at the time told the newspaper that the Aditya Birla Group used threat management systems that constantly monitored and protected business-critical infrastructure and therefore the suspicious activity was flagged by its advanced threat detection systems.
ShinyHunters tells ISMG that its U.S. and E.U. targets pay ransoms 80% of the time, while businesses in India and Brazil rarely settle. "In India, if we don't publish a small sample of the dataset, they don't care at all," it says.
Among its Indian targets are grocery platform BigBasket, education platform Unacademy, online pharma company Medlife and online trading firm Upstox.
The group hosted 22 million user accounts from Unacademy and reportedly sought $1.2 million in ransom from Upstox.
Apart from Upstox and Medlife, none of its other targets paid ransoms, ShinyHunters says, adding that it only published a "small subset" of stolen Upstox data on darknet forums.
Citing the May 2020 ransomware attack on San Francisco-based e-commerce company Minted, which resulted in 5 million user records being sold online and a subsequent class action settlement of $5 million, ShinyHunters says that the company could have gotten away by paying the $50,000 ransom amount it sought from the firm.
On whether it can guarantee that the stolen data won't end up being sold despite ransom payments, the threat actor says it kept its word in the Upstox and Medlife breach incidents.
But an analysis by ISMG shows why paying a ransom to threat actors is rarely the right solution.
Businesses, it says, must consider that decryptors don't always work, recovery and clean-up incurs substantial costs, and file hierarchies could be shredded. Most importantly, paying a ransom is never a permanent solution, as it leaves payers more likely to be attacked again. And paying perpetuates the business model for attackers, so the only way to check ransomware groups is by cutting their return on investment, the blog post says.
The ShinyHunters ransomware group joined the dark web database marketplace in May 2020. It gained traction in the hacking community following its breach and subsequent sale of 91 million customer records belonging to Indonesia's largest e-commerce firm, Tokopedia, on May 5, 2020.
According to cyberthreat intelligence firm Intel 471, "ShinyHunters tries to obtain legitimate credentials, most likely for a company's cloud services."
Having obtained the credentials, the group targets the victim company's database infrastructure to gather personal information belonging to the company's users or customers, it says.
Intel 471's report says that it has observed ShinyHunters targeting DevOps personnel or GitHub repositories to steal valid open authentication - or OAuth - credentials, which can be used to access a company's cloud infrastructure and bypass multifactor authentication.