An American opera singer born in Charleston, the driving license of a Roman born in 1952, BG, a tax card, a San Marino identity card and a request for registration for a television opera: this is what the criminal gang known as Everest posted on his blog in the Dark Web to claim the cyber attack on SIAE, the Italian Society of Authors and Publishers.
An attack made public only in the last hours but which could be much earlier, as usually happens in these cases. In communicating it, the group claims possession of 60GB of data, and informs that it is ready to publish it. The group’s name, Everest, comes from the software code they use in their attacks. Already seen in action in 2018 with another name, Everbe, the Russian-speaking group had been identified by McAfee and, active in the last quarter of 2021, today gained the Italian limelight precisely to make itself known as a cyber threat. Because one thing is certain, the ransomware attack is for this: to make noise, to make yourself known and to scare you.
Agostino Santoni is the new president of Confindustria Digitale
A new ransomware gang
Now if with the right link you dive into the depths of the Dark Web, about the theft of SIAE data on their site we read: “These are customer data, financial documents and other very important documents. A huge number of passports, driver’s licenses, payment documents, bank accounts, credit cards and other user data. As the company decides whether or not to buy back the data, we study the demand on this data. Contact us “. And just below it appears the name of the Siae general manager and the telephone number of the company in Viale della Letteratura, 30 in Rome.
In short, the usual modus operandi that we have come to know in this long ransomware epidemic that has hit Italy and that the Everest criminals have replicated with various companies attacked by them in the steel and packaging sector, in Ireland and Germany. , of energy in Spain, but of which they provide little or no evidence as in the case of the US government data which they say they are ready to provide on private negotiation.
The Siae however confirmed the attack and added that the ransom would amount to 3 million euros in Bitcoin. Through his general manager, Gaetano Blandini, he made it known that he will not respond to any request for ransom, stating that “we have already made the complaint to the Postal Police and the Privacy Guarantor, as usual. They will then be promptly informed all the authors who have been subjected to attack. We will constantly monitor the progress of the situation trying to secure the data of the SIAE members “.
A distinguishing feature of the group is the attention it places in maintaining high levels of pressure on the victim during negotiations, such as “who knows what your customers will think”, says the computer security researcher Emanuele De Lucia. According to a study carried out in April by his company, Cluster25, the group had in the past attacked high-profile individuals, retail chains, law firms, airports and a large financial institution. It is a financially motivated but “opportunist” group, which means that even if they attack multi-million dollar realities (the BGH strategy, Big Game Hunting or “big game”), the victims also observe realities that do not conform to the usual patterns and targeted simply because their cybersecurity was particularly poor.
For 3 days
Servers kicked and cyberattacks, so the CGIL site went down
by Arturo Di Corinto
What can happen with Siae data
Now if it is true that the data has only been exfiltrated, as they say in the jargon, and has not been locked behind a padlock, and the ransom will not be paid, within a week, usually, what you can expect is a series of attacks aimed at individual SIAE associates of which criminals may know emails, residence and other data from which to trace further personal and biographical elements to carry out scams or impersonification actions (substitution of person) using social engineering techniques, social engineering. A scenario consistent with the fact that the group leverages the potential reputational damage to the company and the indirect pressure that the associates whose data were involved in the dataleak can cause it.
Laura Liguori, Partner of the Portolano Cavallo law firm, and Giulio Novellini, Counsel, comment: “These types of attacks show us that personal data are increasingly of economic value. In reality they have always had it, but only recently we are becoming more and more aware of how much personal information can be considered as a strategic asset. Indeed, once stolen, personal information can be transferred (or better sold) to third parties who can use it for the most varied purposes, mostly illegal: from the theft of the so-called digital identity, to online scams, to the execution of unauthorized purchases. “
But Blandini is probably right not to give in: “The Siae is the repository of potentially very interesting data for a potential attacker. Unfortunately, once withdrawn, it is impossible to limit its dissemination and the payment of the ransom would not guarantee anything in this sense”, adds De Lucia.
Already in recent months, phishing and spear phishing attacks (targeted theft of credentials) had intensified to the detriment of the company that protects actors, singers and creatives so as to induce Siae to warn them not to click on false communications apparently coming from them. The company had already been the victim of an attack in 2018 by activist hackers of AnonPlus who, apparently, exploiting a flaw in the SIAE content management system, Drupal.
The previous version of the software used for their attacks aimed at encrypting user data and asking for a ransom was decrypted by cybersecurity experts Michael Gillespie and Maxime Meignan who had developed a decryptor known as Everbe Ransomware. But, as the Cluster25 report says, “Everest contributes to an ever-growing trend in the ransomware landscape that tends to involve as many subjects as possible in ransomware operations using Ransomware-as-a-Service (RaaS) models by leveraging the resulting investment returns. from successful campaigns. Considering factors such as ease of use and access to these programs as well as the ever-increasing number of participants, it is possible to foresee an increase in the general risks associated with this category of malware in the future ”.
We translate for readers: Everest is looking for affiliates, people ready to resell that data and use their malware for new attacks.
Rip effect
Rest in peace, but not too much: this is how ransomware gangs make fun of their victims
by Arturo Di Corinto
.