A small accounting firm north of Toronto has acknowledged being hit by ransomware last month.
Naz Sukhram, who heads a financial services firm that bears his name, confirmed Tuesday the company realized it was struck on May 26 when its server was encrypted.
“We thought we were a small company and would not get hit,” he said in an interview.
The six-person firm offers tax and bookkeeping services for small businesses and individuals.
The recently discovered Grief ransomware group claims responsibility for the attack. One of the files posted on its data leak website as evidence is what appears to be a screenshot of a text conversation between two people on a cellphone. The top of the image says, “Naz cell.” Sukhrma said he recalls the conversation was with an employee.
Accompanying the screenshot is what appears to be a statement from the gang. “The network of Naz financial was screwed, and now we have about 5 GB data from the file servers, including internal company documents, personal and customer data. According to our rules we are publishing this data step by step in case if this company will keep silence.”
Sukhram said he doesn’t know how much ransom is being demanded. The company didn’t click on a link from the attacker, he said.
For the time being, his business has been paused as his IT support tries to retrieve the server’s data. Fortunately, he said, because of the pandemic the office has been closed and work has been slow.
How the company was compromised is unknown. “We’re not sure yet, we have to wait for the insurance company to send an investigator,” he said. “We don’t know if anything was stolen, or just encrypted.
“Hopefully we will be back up and running within a couple of weeks. Hopefully.”
Meanwhile, employees and customers have been told to watch their financial statements.
The Grief ransomware group was identified by security researchers at the end of May. At that time, it listed five victims on its site, including a British furniture company, an Italian municipality, a U.S. county, a Dominican Republic services firm and a Mexican food services company.
News site SuspectFile.com says Grief issued a statement suggesting they will not follow a common strategy of other groups and negotiate ransom payments with victim firms.
Calling themselves “the new generation,” the statement says, “No more Discounts, time of long-term negotiations with brainwashing and tons of proofs is finished. The game is over for companies who like the long negotiations, pay or grief comes to you.”
Rare to hear from victim SMBs
In an interview, Brett Callow, British Columbia-based threat researcher for Emsisoft, said that while people hear about ransomware attacks on major firms like U.S.-based Colonial Pipelines, the overwhelming number of victims are small businesses.
“But because those incidents don’t typically make the news, small businesses may not realize they are still very much in the crosshairs [of attackers] and thus may not pay as close attention as they should to security,” he said.
Most attacks still succeed because of fairly simple security mistakes, he added. “So by paying attention to the basics, smaller businesses can significantly reduce the likelihood of them being the next victim.”
The basics include patching software as soon as security updates are released, having employees and customers use multifactor authentication as extra protection for logins and training employees on proper cybersecurity procedures.
Security researchers talk about ransomware groups focusing on “big game hunting” – meaning looking for big targets like large corporations and governments. But, he said, “they tend to be completely indiscriminate and will attack whoever they can.”
Only the group known as Evil Corp. is narrowly focused on big targets, he said.
Target organizations are often chosen and initially infected by affiliate gangs of ransomware groups, he added, rather than the developers. These affiliate groups are then paid a share of the ransom paid.
Separately, the REvil ransomware gang says a Western Canadian hotel chain is one of its latest victims. As proof it has posted copies of people’s drivers’ licences, passports, job applications and an insurance benefits claim it says were copied from the files of the hotel chain. ITWorldCanada.com has left two messages for the chief executive of the company, but there has been no response.
Another warning
Meanwhile, BlackBerry today issued a warning that the Psya/Mespinoza ransomware group is using an improved version of a remote access trojan written in the Go language for infiltrating Windows systems. Dubbed ChaChi, BlackBerry says it’s another entry in the expanding list of malicious software written in Golang, which is a relatively young programming language.
“As this is such a new phenomenon, many core tools to the analysis process are still catching up. This can make Go a more challenging language to analyze,” the report indicated.
ChaChi was first seen in the wild in early 2020. Recent versions are more refined.
Common targets by this group are in the education sector, the report adds.