A Montreal-based insurance firm’s website is still offline four weeks after a cyberattack and is still trying to recover from the incident.
Promutuel Assurance says the attack started on Dec. 20 and made its IT systems unavailable. In a statement yesterday, the firm said that, so far, its investigation shows no signs of compromised social insurance numbers, driver’s licence numbers, credit card numbers or banking information of insured members.
However, the statement added, personal information of past, present and retired employees “may have been compromised.” As a precaution, Promutuel says it will provide them with credit monitoring and data protection services.
In an email, a spokesperson for the company was asked to confirm to IT World Canada if the incident was ransomware. According to a source working for a cybersecurity research firm in Canada who wished to remain anonymous, the website of the DoppelPaymer ransomware gang lists Promutuel as a victim. It also lists file names it allegedly copied in an attack. Typically, DoppelPaymer threatens to release copied files if the victim doesn’t pay for a data decryption key.
The spokesperson referred the publication to its official statement, which didn’t explain the attack’s source.
Earlier this week, the Journal de Quebec reported that confidential documents from the firm had been published online. In a story today, the news site said Promutuel told it those 15 files were recovered.
Another attack
Meanwhile, late Friday afternoon, the receiver for the Nygard group of companies issued an advisory to employees, customers and partners about a Dec. 12 ransomware attack.
Richter Advisory Group Inc., the court-appointed receiver of Nygard Holdings (USA) Limited, Nygard Inc., and several related companies, said it issued the statement to advise current and former employees, customers, suppliers and others to monitor their information for any unusual activity, including suspicious emails or other communications that claim to be from the retailer.
Richter has been selling off Nygard assets for several months after taking control of the company in March 2020. The cyberattack happened after the receiver took over the company. However, it says that while the attack encrypted many servers, data copied for forensic purposes wasn’t impacted.
On Dec. 30, Richter issued a report to the Manitoba court on the progress of its work, which included a description of the attack. It said the attackers from the Netwalker ransomware gang initially demanded the equivalent of about $3.6 million in bitcoin for the decryption key or copied data would be released. That demand has gone up to the equivalent of $7 million.
In its statement to the court, the receiver said a ransom wouldn’t be paid.
Richter has hired security firm Sophos to work with it to try and restore data from Nygard backups. As of the end of December, the receiver couldn’t say who might be impacted by the attack. Of Nygard’s 245 servers, 58 were encrypted, including five with data on current and former employees, five with sales data and eight with financial data. The report says 54 backup servers are available, but it isn’t confident the data can be relied on in part because the attack damaged Nygard’s IT system.
Former company head Peter Nygard was taken into custody Dec. 15 and is awaiting extradition to the U.S. on allegations of racketeering, sex trafficking and related crimes.