Extortionists leak data of huge firms after IT provider refuses to pay

Financial data from some the world’s biggest companies – including Porsche, Oracle, Toshiba and more – has been stolen and published in a ransomware attack on the large, Germany-based IT provider Citycomp.

Citycomp, which says that it maintains over 70,000 servers and storage systems “of every type and size” in 75 countries, issued a statement saying that it had “successfully fended off a hacker attack” in early April and that it has no intention of complying with the blackmail attempt.

Given its refusal to capitulate, Citycomp said, the data couldn’t be saved from being doxxed. “Full transparency” was in place and it informed its customers “right from the start,” it said.

[Citycomp] does not yield to blackmail. The repercussion is the publication of the stolen customer data.

While Citycomp said that the attack had been stopped, a security firm it’s working with and which was authorized to speak to Motherboard told the publication that as of Tuesday, it was ongoing. Michael Bartsch, executive director of Deutor Cyber Security Solutions:

Citycomp has been hacked and blackmailed and the attack is ongoing. We have to be careful as the whole case is under police investigation and the attacker is trying all tricks.

The hackers created a .onion Dark Web site where the stolen data can be browsed and downloaded. The list of victims includes names such as Porsche, Oracle, Toshiba, the New Yorker, Ericsson, Leica, UniCredit, British Telecom, Hugo Boss, NH Hotel Group, and Airbus, among many others. On the site, the hackers claim that they have “312,570 files in 51,025 folders, over 516GBb data financial and private information on all clients.”

Citycomp hack dark web site
A screenshot of the dark web site housing the Citycomp data

Bartsch told Motherboard that after informing and warning all clients, being fully transparent from the get-go, their support has been “unanimous.”

The hacker(s) told Motherboard in an email that the point of the attack was financial: using the handle Boris Bullet-Dodger, they told Motherboard’s Joseph Cox that they had demanded $5,000 from Citycomp.

“Boris” claimed to have prowled Citycomp’s systems for just over a month, and that they targeted Citycomp specifically because “they have an [sic] totally awful security system.”

The hacker(s) said they had no intention of extorting the client companies themselves:

No, these companies are not guilty of awful work of citycomp.

What to do?

As we’ve mentioned before when reporting about ransomware, defending against a determined, targeted attack demands defense in depth, and, as in many things, prevention is better than cure. That starts with ensuring that your systems are patched and your Remote Desktop Protocol (RDP) is secure, and finishes with regular, comprehensive, off-site backups, with much else in between.

To read more about those things and the preventive steps you can take to protect yourself against targeted ransomware of all stripes, read our article on how to defend against SamSam ransomware.