Stolen data from Australian businesses have been auctioned on the dark web for around $82,000 by hackers, with some promoting access to loan information, drivers’ licenses, Medicare cards, and passports.
In 1 instance, access to a finance company’s active loan dash was auctioned for $1000. According to the auction information, the purchaser received advice on 3700 active loans and 3800 closed and pending loans.
“Client records have IDs (DL or passport, occasionally Medicare even payment card scans and pictures ),” the danger actor called Ronny posted on an undercover Russian-language forum.
Ronny later bragged about using the”best Aussie stuff” at a post selling access to some other finance company with “39,6k+ Aussie bank account”. The starting bid was $5,000, and it had a “Buy Now” price of $10,000.
“You will have at least 55k Name, DoB, and speech. And of course, [the] server might have client IDs, DLs, Medicare, statements, signatures, and all scans of what Aussies need to obtain financing,” Ronny wrote.
Hacker groups are also threatening to market data stolen from ransomware attacks to blackmail companies into paying up. One group, Sodinokibi (also called rEvil), has held 22 auctions on its website, Happy Website.
“Hello, I hope you’re smart men and contact us. Otherwise, your financial, personal information regarding customers and other important private records will be printed on our joyful blog,” Sodinokibi submitted in June after claiming to have hacked Australian firm Chem Pack.
In July, a further post appeared: “We’ve downloaded your databases and fiscal documents. We recommend calling us” This time, Quest Worldwide was the victim.
Quest confirmed the attack but played down its importance. “A UK-based server belonging to a twisted UK-domiciled sister thing was busted,” regional manager Wiet Pruim stated.
“The UK-based server contains only limited historical internal control data and no client nor usable data is on this host.”
Other firms targeted by ransomware hackers include drinks giant Lion, Regis Aged Care and an entity named Arafmi (the latter stands for Association of Relatives And Friends of the Mentally Ill and may refer to several unique groups across Australia).
The Australian Financial Review knows the Australian Cyber Security Centre achieved to an Arafmi entity following data was leaked online.
A spokesman for Regis said the firm had immediately implemented its own backup and business continuity systems. “The episode hasn’t materially impacted the provider’s day-to-day surgeries,” he said.
Lion’s spokeswoman said there was no proof any data were stolen in the $US1 million ransomware assault. Still, Lion had”made contact with our clients, providers and people to notify them of the possibility.”
Victoria Kivilevich, the threat intelligence analyst in Israeli company KELA, said there was an increase in attacks in the last few years, and also RaaS, or ransomware-as-a-service; hackers were often working together.
“The hottest ransomware breeds are operated by cybercriminals searching for monetary gain,” Ms. Kivilevich stated. “Chasing profits, ransomware celebrities are constantly inventing new procedures of intimidating victims.”
These methods include “stealing data and asking double ransoms; cooperating with other ransomware gangs; using stolen data to assault different sufferers; selling stolen data on auctions; notifying media, in addition to victims’ partners and customers about leaks.”
KELA specializes in dark web threat intelligence and provides clients a real-time dark web search engine named Darkbeast.