Celebrities' Data Dumped on Darknet Site After HackLondon-Based Graff Jeweller’s Clients Include High-Profile Celebs
The Conti cybercrime gang, known for ransomware attacks, has reportedly leaked details of world leaders, actors and business tycoons after a strike at London-based high society jeweler Graff.
The breach was confirmed to Information Security Media Group by the official spokesperson of The House of Graff, who said the organization is working with the relevant law enforcement agencies and has informed the U.K.'s Information Commissioner’s Office about the incident.
“Regrettably we, in common with a number of other businesses, have recently been the target of a sophisticated - though limited - cyberattack by professional and determined criminals. We were alerted to their intrusive activity by our security systems, allowing us to react swiftly and shut down our network," a spokesperson for The House of Graff tells ISMG.
Sam Curry, chief security officer at cybersecurity solutions vendor Cybereason, says that it could be many weeks before the real impact of the attack is known to the public.
"One thing that isn’t trivial for the celebs and A-listers that have reportedly had personal information stolen is that the people or organizations with deep pockets are more likely to pay a ransom than others. The threat actors know it and when they target organizations for theft, they will be persistent, patient and thorough in their attack," Curry notes.
A report in U.K. newspaper The Daily Mirror claims that the threat actors have leaked 69,000 confidential documents on a darknet site, including files related to Donald Trump, Oprah Winfrey and David Beckham.
The newspaper report also claims that the leaked data of about 11,000 individuals involves Graff's well-heeled clients, and the ransomware actors are demanding tens of millions of pounds in ransom money to stop the release of further sensitive information.
"We have informed those individuals whose personal data was affected and have advised them on the appropriate steps to take. Thanks to our robust backup facilities, we were able to rebuild and restart our systems within days - crucially, with no irretrievable loss of data," a Graff spokesperson says.
According to the report, the leaked documents include client lists, invoices, receipts and credit notes. The list includes international superstars, such as Tom Hanks, Samuel L. Jackson and Alec Baldwin.
“Sadly, it appears that notable brands, corporates and even government departments are deliberately targeted by unscrupulous operators in an effort to extort money [and] cause disruption or simply embarrassment," a House of Graff spokesperson notes.
Trevor Morgan, product manager at Comforte AG, says that details on the initial attack vector are speculative at the moment, however, the tactic could have been simple social engineering, in which a person is tricked into launching malicious code that appears as a seemingly innocuous attachment.
Morgan also says that the attackers most likely demanded the ransom in Bitcoin or some other difficult-to-trace form of payment.
"Some organizations in similar situations have been inclined not to pay the ransom and simply restore all IT systems in the case of encrypted files that halt operations. But in this situation, apparently we’re talking about stolen sensitive information that Graff would not want out in the open," he notes.
To avoid such situations, Morgan says, any organization possessing sensitive information should protect it with data-centric security as soon as it enters the enterprise ecosystem.
He recommends keeping sensitive information tokenized or encrypted in a way that preserves the original data format.
“Cybercrime continues to rise in scale and complexity. It is a threat to every business. Maintaining the highest level of security against these threats has always been a top priority for us. We are continually strengthening our systems to counter these threats as they evolve,” a House of Graff spokesperson notes.
Conti is one of several Russian-speaking ransomware operations - believed to be operating from countries that were formerly part of the Soviet Union - that have continued to hit targets in the U.S. and Europe, causing widespread disruption.
The U.S. government, which has been tracking an increase in the pace of attacks tied to Conti ransomware, recently issued a joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency, FBI and National Security Agency, warning that Conti has so far successfully hit more than 400 organizations based in the U.S. and abroad (see: Conti Ransomware Attacks Surging, US Government Warns)
"In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment," the advisory states.
To better secure against Conti attacks, the alert recommends a range of defenses, including "implementing the mitigation measures described in this advisory, which include requiring multi-factor authentication, implementing network segmentation and keeping operating systems and software up to date."
Ransomware incident response firm Coveware reports that based on thousands of incidents it helped investigate from April to June, Conti was the second-most-prevalent ransomware it encountered, following Sodinokibi, aka REvil. Coveware said that while Sodinokibi accounted for over 16% of all incidents with which it assisted, Conti accounted for over 14%.
Like other ransomware-as-a-service operations, Conti relies on affiliates to infect victims. As some major ransomware operations have disappeared, rebranded or been on hiatus in recent months, experts say Conti appears to have been recruiting many of their affiliates, helping it to launch more attacks.