[BreachExchange] Retailer Fat Face Pays $2 Million Ransom to Conti Gang

[Destry Winant]

https://www.bankinfosecurity.com/retailer-fat-face-pays-2-million-ransom-to-conti-gang-a-16277

Left unsaid in Fat Face's "strictly private and confidential" data
breach notification to affected customers this week was any indication
that the U.K.-based clothing and accessory retailer had paid a $2
million ransom to unlock its systems (see: British Clothing Retailer
Fat Face Discloses Data Breach).

But as Computer Weekly reported on Friday, based on details of the
ransom-payment negotiation obtained by its French sister publication,
LeMagIT, Fat Face's data breach traced to it having been hit with a
phishing attack on Jan. 10 by the Conti ransomware gang.

Responding to a 213 bitcoin - worth $8 million - opening ransom
demand, Fat Face's negotiator reportedly argued that due to the
COVID-19 pandemic, its revenue was down 75%. Ultimately, Conti agreed
to a $2 million payment, saying that it didn't want to bankrupt the
retailer, Computer Weekly reports.

The attackers triggered their crypto-locking malware one week after
gaining access to Fat Face's systems, evading its security defenses,
identifying its "Veeam backup servers and Nimble storage," and
exfiltrating 200GB of data, according to Computer Weekly.

Luckily for Fat Face, the firm had a cyber insurance policy with
Beazley Furlonge Ltd. that included coverage for ransom payouts. Or at
least that's what the Conti gang said in its negotiations with Fat
Face after the retailer said that the $8 million initial ransom demand
was too high.

“Our demands are lower than your insurance coverage," Conti's
negotiator shot back, according to screengrabs published by Computer
Weekly. "I have no idea how this can break you when you are insured
for 7.5 million pounds. I suppose it's time to contact your insurance
company."

Fat Face Confirms Payoff

>From a crisis communications standpoint, Fat Face arguably fumbled its
data breach notification earlier this week by failing to disclose that
it paid Conti ransomware attackers to decrypt its systems and promise
to not dump stolen customer/employee data.

The fashion retailer confirmed Friday to Information Security Media
Group that it got hit by ransomware, but it did not explicitly say
that it paid extortionists in return for the promise of a decryption
tool to restore access to its crypto-locked systems. It did not,
however, dispute the details in Computer Weekly's report.

"Fat Face was unfortunately subject to a ransomware attack which
caused significant damage to our infrastructure," a Fat Face spokesman
told ISMG on Friday. "Thanks to a monumental effort from the Fat Face
team, alongside external security and legal experts, Fat Face was able
to quickly contain the incident, restore business operations and then
undertake the process of reviewing and categorizing the data involved
- a significant task which has taken considerable time."

Earlier this week, Fat Face confirmed that it had suffered a breach in
January that compromised personal information for customers and
employees. It declined to say exactly how many were affected.

Affected Fat Face customers began to receive emailed breach
notifications early this week, as ISMG first reported. These
notifications warned them that attackers had accessed their name,
address and email address, as well as the last four digits of their
payment card and its expiration date. Fat Face has also offered 12
months prepaid for an identity theft monitoring service for affected
customers.

But the subject line of the notification email - " strictly private
and confidential - notice of security incident" - led some customers
to ask if the company was trying to cover up the breach.

"Clearly trying to make people stay quiet," one Fat Face customer who
shared the email with ISMG said (see: Fat Face's 'Strictly Private'
Data Breach Notification).

Others said that the breach notification had failed to make clear what
risks they might now face. "I'm so confused having read their email,
is this data breach something serious that we should take immediate
action on, or is it a minor breach?" another customer commented.
"Especially unclear given they waited two months to mention it!"

ICO 'Making Inquiries'

Fat Face noted earlier this week, when it began to notify customers
via email about the breach, that it has notified the U.K. Information
Commissioner's Office, which enforces the General Data Protection
Regulation, about the breach, as well as Action Fraud - which works
with England's police forces - and the National Cyber Security Center,
which handles national incident response.

The ICO on Tuesday told ISMG that it is "making inquiries" into the
Fat Face breach.

Whereas Fat Face earlier this week declined to share specifics of how
exactly it had been hacked, now the retailer says it is declining to
release any further breach details owing to an ongoing investigation.
"Details of the attack and steps taken are part of a criminal
investigation so at this stage we are unable to comment any further,"
it says.

Conti: 2020 Debut

Conti first debuted in May 2020, and later in the year, it was tied to
numerous attacks, largely against targets in North America and Western
Europe (see: How Conti Ransomware Works).

Along with Maze, Conti last year was tied to the greatest number of
ransomware attacks against healthcare organizations, says
cybersecurity firm CrowdStrike (see: Mark of Ransomware's Success:
$370 Million in 2020 Profits).

Conti has already been tied to multiple healthcare hits this year as
well (see: Patient Files Dumped on Darknet Site After Hacking
Incidents).

Ransomware incident response firm Coveware says that the average final
payment to Conti is about $740,000. Based on the cases it has
investigated, it says Conti has always delivered a working decryptor
after victims pay. But Computer Weekly reports that after the Fat Face
attack, many of the company's systems were left deleted or
unrecoverable. That includes storage area network data, electronic
point of sale systems, SQL servers and Citrix hosts. But Conti claimed
to not have had anything to do with that, according to the news
report.

Conti Teardown

Many ransomware watchers suspect that Conti sprang from the Ryuk
ransomware gang.

"Since its first appearance, Conti was assumed to be the successor to
Ryuk with one crucial difference in that the group behind Conti
threatens to leak exfiltrated data to strong-arm victims into paying
the ransom," according to security firm Sophos.

In a technical teardown of the ransomware published last month, Sophos
researchers note that Conti's developer has gone to great lengths to
create an "elusive" ransomware payload that makes it hard to detect
and tough for investigators to recover.

"Among the behavior observed by responders, the ransomware immediately
begins a process of encrypting files while, at the same time,
sequentially attempting to connect to other computers on the same
network subnet, in order to spread to nearby machines, using the SMB
port," Sophos reports.

A typical Conti attack also includes time spent exfiltrating
potentially sensitive data. "The attackers spend some time on the
target network and exfiltrate sensitive, proprietary information to
the cloud - in recent attacks, the threat actors have used the cloud
storage provider Mega," Sophos says.

Data Leak Site

Conti is one of a number of ransomware-wielding gangs that maintains a
data leak site. For victims that do not pay a ransom within a
specified time frame, gangs will often first name victims in an
attempt to shame them into paying the ransom and having their name
excised from the site. If victims still don't pay, gangs typically
leak stolen data - if they did steal any - in tranches before dumping
everything as a warning to future victims that they do follow through.

A Conti ransom note published previously by Sophos notes: "Just in
case, if you try to ignore us. We've downloaded a pack of your
internal data and are ready to publish it on (our) news website if you
do not respond. So it will be better for both sides if you contact us
as soon as possible."

According to Israeli threat intelligence firm Kela, the Conti
operation has listed more than 300 victims on its data-leaking site,
including industrial IoT chipmaker Advantech, industrial and
technology business holding company ThyssenKrupp, and the Scottish
Environmental Protection Agency. SEPA's systems were crypto-locked
last Christmas Eve. The government agency refused to pay the ransom
and, on Jan. 13, Conti began leaking stolen data.

Fat Face apparently never appeared on Conti's data leak site, which
suggests that the organization may have promptly launched discussions
with the ransomware gang.