A real estate agency in British Columbia is investigating a ransomware attack that the owner says was caught before serious damage was done. But the incident raises the question of whether the attack came through the infection of a third party’s application.
Jerry Redman, owner and managing director of ReMax Kelowna, which has four offices in the city of 132,000, said in an interview Friday afternoon that fortunately, the attack happened at the same time as IT staff were overseeing a software update. The ransomware wasn’t launched, although some files were copied.
“We were on it within minutes of knowing it started, and that’s why [the attackers] don’t have much,” he said.
While a forensic investigation is still ongoing, so far Redman believes the only data attackers were able to copy was what he called “non-personal company data.” This includes “graphic design stuff that the company does for people.”
On Wednesday, the Conti ransomware group’s website listed ReMax Kelowna as one of its victims and included the names of 15 files it allegedly coped as proof of the attack.
Redman said he didn’t know after the incident that files were apparently copied until a reporter called him on Thursday.
“We had the attack shut down so fast we didn’t believe they got anything. We got no ransomware request from [attackers], our system never got locked down from them, but they obviously got a little bit of data.
“They never got the ransomware launched on our server… but they got a small data set. Luckily, it’s not a server that hosts a ton of stuff outside our company stuff. All of our other stuff is on different servers with different companies that do our software now. We moved it all about a year and a half ago.”
Where did it come from?
Asked if he knows how the attack was launched, Redman didn’t have answers. “Not a clue. “The only thing we can think of at this point is we were doing a software upgrade from a major company and it started to happen about the exact same time.”
Redman said he wasn’t sure if that upgrade was infected, he said. “I don’t want to speculate, but that’s literally what we were doing when it happened, and that’s why we were able to shut it down so quick because my IT guys were here.”
The company got lucky, he added.
“Because I know somebody who was hit about a year ago and it cost them $4 million,” he said, referencing a business from a different industry, not in Kelowna.
Redman noted he doubts his firm was targeted.
Ransomware attacks through third-party software or supply chains are rare. Usually, attacks are initially launched through phishing and spear phishing, with the exploitation of remote access software vulnerabilities, infected pirated software, drive-by downloads of infected websites and infected removable media also known to be used.
In an email, Brett Callow, a threat researcher for security firm Emsisoft, said supply chain attacks can enable attackers to gain an initial foothold. “But, I’ve never heard of such an attack being used to speedily exfiltrate data prior to deploying ransomware,” he wrote.