Last week the news of the attack on SIAE by a ransomware gang quickly attracted media attention.
While there is no evidence that the company’s files have actually been encrypted, the information breach has been found that has impacted and will potentially severely impact the authors in the weeks to come.
The San Carlo food group under hacker attack
The extortion model that leverages the threat of publication of stolen data, on the one hand increases the possibility that victims will pay the ransom and on the other hand favors the spread of news of the attacks in the media by increasing pressure on customers.
In these hours, several Italian companies are under attack, among them important realities such as San Carlo Gruppo Alimentare SpA and the distributor of products for children and healthcare Artsana.
Both companies were hit by the same ransomware group known as Conti, a gang that runs its own website (leak site) hosted on the Tor anonymization network and on which it publishes news of the attacks and releases stolen data to victims.
Figure 1 – Images from the Leak site of the Ransomware gang Conti
In the case of the San Carlo group, the criminals have published a list of files with a total size of about 59MB that proves the intrusion.
The files published by the Conti group in the case of the attack on San Carlo include passports, identity cards, financial information, invoices and much more.
At the moment we are not aware of the amount of the ransom requested.
Figure 2 – Images from the Leak site of the Ransomware gang Conti
It is currently unclear whether the cybercriminals encrypted the information of the two companies, or if they only stole the data to blackmail the affected companies. But who is the Conti ransomware group?
According to data produced by the threat intelligence firm DarkTracer, the group is one of the most active in the threat landscape as can be seen from the graph below.
The Conti group is considered one of the most ruthless for its propensity to attack health facilities, first aid services, and law enforcement agencies despite the concomitant pandemic. Among the most sensational attacks that on the Irish health system this year which led to the paralysis of the entire national computer network with a severe impact on many structures.
The group operates a Ransomware-as-a-Service (RaaS) model, that is, it offers a network of affiliates its own malware and the structure to manage it, on the other hand it keeps for itself a percentage of the ransom depending on the amount paid by the victims.
Several hundred organizations have been affected by the group, most of them US companies. The group is also known for its huge ransom requests that in some cases even reached 25 million dollars.
It must be said that the Conti group in some cases has not kept faith with the agreements with the victims, who despite paying the ransom, have not been able to recover their encrypted files.
Figure 3 – Source DarkTracer
How exposed is Italy to ransomware attacks? The answer is no less than organizations from other countries, the huge proceeds from this criminal practice continue to attract the interest of criminal groups that, thanks to the RaaS model, are able to quickly monetize their efforts.
According to statistics provided by DarKTracer, 3,338 organizations in 105 countries were affected by the main ransomware gangs in the period from 1 May 2019 to 6 October 2021. Italy ranks sixth in the ranking of affected countries (3, 6% attacks), the sad record belongs to the United States (56%), followed at a distance by Canada (6.1%).
Figure 4 – Source DarkTracer
What is happening in these hours? The attacks continue incessant, other gangs are targeting Italian structures, including Lockbit, which in recent days has hit the Selini Group.
However, I would like to point out a series of unusual attacks that we are observing with my team, these are ransomware attacks in which, however, there is apparently no exfiltration of information.
The only distinctive sign of this mysterious criminal gang, provided that it is and that it does not operate with other purposes, is the use of the extension [email protected] which it adds to all files that are encrypted.
As mentioned, it is unusual that the group does not leave any request for ransom on the affected machines, this circumstance could also represent a sort of diversionary action aimed at hindering investigations.
Apart from this threat, it is reasonable to expect an intensification of the attacks in the coming weeks, also in light of the recent call to arms made by the ransomware group Groove in recent days. In a statement, the group urges all ransomware gangs to join forces to target the interests of the United States, guilty of a harsh crackdown on another ransomware group known as REvil whose attack infrastructure was seized in the course of an operation. international conducted by law enforcement.
There is no time to waste, we need to raise the alert level of our companies to avoid massive damage and potential catastrophes.
.