Ransomware attack: “BlackByte” hacks Swiss logistics group

The internationally active logistics group has fallen victim to a criminal group that the FBI and Secret Service have already warned about.

Follow

What do the San Francisco 49ers and the Swiss logistics group M+R Spedag Group have in common?

Both were hacked by BlackByte.

The full extent of the cyber attack cannot be estimated at this time. A countdown has been placed on the dark-colored criminal gang “leak site” which showed 15 days left on Wednesday evening.

How many gigabytes were stolen is unknown. When the alarm displayed on the infusion site expires, full disclosure threatens.Screenshot: watson

BlackByte belongs to the group of unscrupulous ransomware gangs that hack into the IT systems of Western companies, steal valuable data unnoticed, and eventually start encrypting with their own malware.

M + R Spedag Group AG is an international freight and logistics group. According to its own information, it has 2,000 employees and 82 branches.

The company, which is based in Muttens BL, has confirmed a hacker attack on Watson.

The Swiss IT news portal Inside-it.ch published the first report on the incident on Wednesday.

What does the company in question say?

Bernadette Jordan, head of public relations and communications, said Wednesday that customers and partners have been informed “since the end of last week.” “We consider the potential harm to be low.”

A common consequence of these ransomware attacks is that criminal attackers try to trick their victim into paying a huge amount of money for ransom. To do this, they put officials under pressure by threatening to publish the captured data on the dark web.

On the so-called BlackByte leak site, which can be accessed via the TOR anonymity network, there is a corresponding link, which in turn leads to a file host that specializes in anonymous downloads. This includes about 8GB of company documents from the M+R Spedag suite.

Watson was able to see the leaked data. It is a large number of old and relatively new files, including internal data, but also presentations and other documents related to many commercial customers.

How did the attack happen?

On Thursday, April 21, at 4:09 p.m., officials at M+R Spedag Group learned of the attack. Only the “organizational unit in Switzerland” was affected, it said. The next morning it was ‘fully working again’.

It is not known how hackers penetrated the foreign network. The spokeswoman explains that a corresponding vulnerability was closed and the peripherals were replaced within 48 hours. Additional measures have been taken with Swisscom.

In the past, BlackByte exploited many unpatched vulnerabilities in Microsoft Exchange Server to hack other people’s computers.

As CEO, Boris Lukic, told inside-it.ch, no ransom request has been received yet. It is entirely possible that this will change before the alarm expires.

Who is behind “Black Byte”?

The monuments lead to Russia (see below).

It is not known who is behind BlackByte. One thing is for sure: It’s a ransomware-as-a-service suite that has made its attack tools and infrastructure available to third parties for a fee and has been targeting businesses around the world since July 2021.

Actual malware used to encrypt victim data was reprogrammed in 2021 in Google’s Go programming language, making defensive measures more difficult for security researchers.

Reveal the details: When the Windows malware starts, it first checks the language of the victim’s system. With the following language settings, it ends up without doing file encryption:

A US IT security expert told Techcrunch in February that all indications were that BlackByte was based in Russia. However, criminals all over the world can gain access to the gang’s infrastructure – of course in order to “share the profits”.

The San Francisco 49ers, an American professional soccer team, were hacked in February prior to the Super Bowl Final. BlackByte later released only a few megabytes of stolen data.

Days ago, the FBI and Secret Service (USSS) issued a joint statement warning of attacks on critical infrastructure operators.

sources

This may also interest you: