Sony has appeared on the dark web victim blog of data extortion gang Ransomedvc, who claim to have infiltrated the company’s systems and stolen sensitive data. If confirmed, it will be the second time Sony has been breached in a matter of months, after the business was hit as part of the MOVEit Transfer vulnerability attacks.
Ransomedvc wrote on its blog that it had “successfully compromised all of Sony’s systems”, but added: “We won’t ransom them!”
Sony cyberattack a success?
The gang alleges that Sony has refused to pay to retrieve the data, and says it plans to sell it instead. It is threatening to release the allegedly stolen information on 28 September.
Samples of the data have been posted alongside these claims, reportedly featuring a PowerPoint presentation from Sony’s quality assurance division, internal screenshots displaying what could be a Sony workstation, and some Java files.
Tech Monitor has contacted the company for comment but has yet to hear back at the time of writing.
The alleged attack comes months after Russian ransomware group Cl0p gained access to Sony data as part of its attack on businesses around the world which exploited a vulnerability in file transfer software MOVEit Transfer. Hundreds of companies around the world, including some of the biggest names in business, have fallen victim to the attack, and Sony saw data stolen in June as part of the first wave of breaches.
Ransomedvc: cheaper than a GDPR fine?
Ransomedvc was initially uncovered by cybersecurity researchers in August. On its blog, the gang claims to be the “leading company in digital peace tax”.
The group’s ransom demands have so far ranged from $54,000 to $218,000, according to security company Flashpoint, which says the gang maintains it is charging less than the fines companies would receive for breaching Europe’s GDPR data laws. Such fines can run into millions of Euros. Keeping demands lower might be a tactic to increase the chances of victims making the payment, Flashpoint said.
The researchers have doubted the legitimacy of some of the group’s claims. “Ransomed lists several companies as victims who have not paid their ransom,” the Flashpoint report says. “The payments of these companies are currently listed as ‘pending’, while a previous version of the site listed the payments as ‘pending/cancelled’.”
The gang is rumoured to include former moderators of now-closed data leak forums such as BreachedForums, meaning it may be trying to extort companies with data that is already publicly available.