[BreachExchange] Ransomware crew dumps stolen Optionis files online

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Fri Feb 11 11:07:09 EST 2022


https://www.theregister.com/2022/02/11/optionis_stolen_data/

What appears to be stolen data belonging to customers of accounting
conglomerate Optionis Group has surfaced on the dark web weeks after the
firm confirmed intruders had broken into its systems.

Optionis Group houses brands including Parasol Group, Clearsky, SJD
Accounting and NixonWilliams.

The Vice Society ransomware gang dumped what appears to be thousands of
files onto their dark web blog as downloadable links, as seen by The
Register.

The vast cache was published shortly before Optionis Group, which also
houses an umbrella company popular with tech contractors alongside its
accounting businesses, emailed its tech contractor customers saying "some
data belonging to Optionis was copied from our system."


Although we can't publish a screenshot here because doing so would expose
filenames which themselves refer to sensitive data, The Reg has seen
spreadsheets with names suggesting they contain the management accounts of
some customers' companies. Other files appear to be timesheets for
contractors, as well as letters to and from HM Revenue and Customs
discussing customers' tax status.

"These types of attacks can have far-reaching effects, resulting in
numerous freelancers not being paid, or companies being unable to pay
employees on time. Clearly, the knock-on effects of this are employees
suffering the consequences and potentially not being able to pay for
essential living costs," said infosec firm Cyjax in a client note
addressing the breach.

Several contractors that we spoke to who use the payroll services provided
by Parasol, the umbrella company in Optionis, told us they had only been
partially paid for freelance work undertaken in January.

Vice Society previously hit the public radar after targeting the Spar
supermarket chain, triggering a wave of shutdowns. Cisco Talos, in a blog
post last summer, described the crew as targeting American schools and
similar educational institutions. The threat intel business noted that Vice
Society tended to target VMware ESXi virtualization servers, as well as
using the PrintNightmare Windows spooler vuln.

The dumping of contractors' data online is the usual step when a targeted
organisation refuses to pay a ransom, in what experts have dubbed the
"double extortion" ransomware method. In this model, not only are an
organisation's files encrypted so the crims can demand payment for the
decryptor, but files are exfiltrated – allowing the crooks to demand a
second ransom to prevent their publication.

Optionis previously claimed to have 13,000 contractors on its books. The
accounting firm was breached back in January, as it said after discovering
"unauthorised activity" on its networks and pulling the plug.

Optionis did not respond to The Register's request for comment, but we will
update this article when it does. We have asked the ICO to comment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220211/df8b655b/attachment.html>


More information about the BreachExchange mailing list