[BreachExchange] Canadian vehicle rental service hit by ransomware

Destry Winant destry at riskbasedsecurity.com
Fri Feb 19 10:45:40 EST 2021


https://financialpost.com/technology/tech-news/canadian-vehicle-rental-service-hit-by-ransomware

One of Canada’s biggest car and truck rental agencies is trying to
recover after being hit by a ransomware attack.

A spokesperson for U.S. based vehicle rental giant Enterprise Holdings
acknowledged Saturday that its Canadian division, Discount Car and
Truck Rentals, was hit by a cyberattack. Enterprise’s Canadian
division bought Discount last fall. This is the latest Canadian firm
to be victimized by ransomware on the heels of a B.C. real estate
company suffering from a similar attack in late January.

Among Enterprise Holding’s brands are Enterprise Rent-A-Car, National
Car Rental and Alamo Rent a Car.

As of Sunday morning, Discount’s website was still offline due to
“technical issues.”

IT World Canada asked the car dealership for comment when the Darkside
ransomware group posted a notice on its site several days ago that it
had copied 120GB of corporate, banking and franchise data of
Discount’s.

“Discount Car and Truck Rentals was subject to a ransomware attack
that impacted the Discount headquarters office,” according to a
statement sent to the publication. “A fully-dedicated team isolated
and contained the attack quickly. The team is working to investigate
and restore service as quickly and safely as possible.”

Asked by email if any customer or employee personal information was
copied and how the attack started, a spokesperson would only say the
investigation is still underway.

The online statement from the Darkside group says, “We downloaded a
lot of interesting data from your network. If you need proofs we are
ready to provide you with it. The data is preloaded and will
automatically be published if you do not pay.”

As proof of the data, there is a screenshot of alleged folders from
Discount’s file structure.

According to cybersecurity firm Acronis, Darkside emerged around
August, 2020 to use encryption and data theft as pressure tactics to
get money from corporate victims. Among its Canadian victims is
Brookside Residential.

Several months after starting operations, Darkside announced an
affiliate program (dubbed ransomware-as-a-service by infosec pros),
allowing paying or authorized cybercriminals to use its code for
attacks in exchange for a share of ransom payments.

“We are a new product on the market, but that does not mean that we
have no experience and we came from nowhere,” the group said at the
time. “We received millions of dollars in profit by partnering with
other well-known cryptolockers. We created Darkside because we didn’t
find the perfect product for us. Now we have it.

“Based on our principles, we will not attack the following targets:
Medicine, education, non-profit organizations, government. We only
attack targets that can pay the requested amount, we do not want to
kill your business. Before any attack, we analyze your accountancy and
determine how much you can pay based on your net income. You can ask
all your questions in the chat before paying and our support team will
answer them.”

Cybersecurity firm Bitdefender released a decryption key in January,
hoping it would foil the ransomware. However, Darkside published a
statement saying it has “fixed” this and victims can’t rely on that
solution.

Meanwhile, the Conti ransomware group, which says it hit ReMax Kelowna
last month, has released over 10,000 documents it says were copied in
the attack. The documents include at least one T4 slip of an employee
or former employee.

The attackers’ move upset ReMax Kelowna owner Jerry Redman, who in a
Friday interview said he hadn’t received any threat notes or
communications from the attacker before the full load of stolen data
was released.

When Redman spoke to IT World Canada on Feb. 5, he said attackers
copied documents but couldn’t deploy ransomware. At the time, he said
the documents copied were largely PDFs on a server that had corporate
information. He emphasized that a server with customer information was
not affected.

“I know there were ten thousand documents posted online,” Redman said
Friday. “But that’s less than one per cent of the data on my server.
So they never got my server.”

“We will be notifying anybody of anything that is gone. None of our
client information is on that [compromised] server. If there’s a T4
slip on that server it would have been one of my staff who work for
us, or for the company before I owned it.”

All staff have been told there is a possibility personal data has been
copied, he said.

Asked how much personal data about individuals was dumped by the
threat group, Redman said it will take a bit of time to confirm.

“We’re still analyzing the data now … Anybody we need to help will be
looked after,” he explained.

Cybersecurity experts emphasize the importance of lowering the odds of
being hit by ransomware through cybersecurity basics. That includes
knowing where sensitive data is and protecting it through access
control and encryption; updating and patching software systems,
including websites, particularly antivirus and antimalware software;
and training employees to look for and not click on suspicious email
attachments and links.


More information about the BreachExchange mailing list