[BreachExchange] BC real estate agency sustains unusual ransomware attack

[Destry Winant]

https://www.insurancebusinessmag.com/ca/news/cyber/bc-real-estate-agency-sustains-unusual-ransomware-attack-246105.aspx

A British Columbia-based real estate agency is the latest victim of a
ransomware cyberattack – but the circumstances of the attack raise
more questions than answers.

Last week, the Conti ransomware group listed the ReMax Kelowna as one
of its victims on its website. To prove it had instigated the attack,
the group also listed the names of 15 files it allegedly copied from
ReMax Kelowna.

ReMax Kelowna owner and managing director Jerry Redman revealed that
the cyberattack had occurred at around the same time as the agency’s
IT staff were overseeing a software update. Redman also confirmed with
IT World Canada in an interview that while the ransomware IT staff
found was not launched, some company files were copied by the
attackers.

“We were on it within minutes of knowing it started, and that’s why
[the attackers] don’t have much,” Redman explained.

Although an investigation into the attack is still ongoing, Redman
believes that the malicious actors responsible for the breach only
managed to copy what the director calls “non-personal company data.”
This data includes “graphic design stuff that the company does for
people.”

Redman said that he was not aware that any files were stolen during
the attack until a reporter had informed him later that week.

“We had the attack shut down so fast we didn’t believe they got
anything. We got no ransomware request from [attackers], our system
never got locked down from them, but they obviously got a little bit
of data.”

Although the cyberattack against the real estate agency was confirmed
to be ransomware in nature, how the attack was launched remains a
mystery.

“The only thing we can think of at this point is we were doing a
software upgrade from a major company and it started to happen about
the exact same time,” Redman said when asked if he knew how the
cyberattack began.

Redman also said that he was unsure if the software upgrade itself was
infected with the malware.

“I don’t want to speculate, but that’s literally what we were doing
when it happened, and that’s why we were able to shut it down so quick
because my IT guys were here.”

Ransomware attacks are typically carried out through phishing and/or
spear phishing, exploiting remote access software, infected pirated
software, drive-by downloads of infected websites, and infected
removable media. But ransomware attacks through third party software
or supply chains – as Redman suspects what happened – are rare, but
not unheard of.

When asked for a statement on the cyberattack, Emsisoft threat
researcher Brett Callow told IT World Canada that supply chain attacks
can give attackers an initial foothold on the affected IT system, but
added that he has never heard of such an attack being used to quickly
exfiltrate data prior to deploying the actual ransomware.