Saturday, November 23, 2024

SPAR STORES Disrupted by Ransomware Gang

A ransomware operation called Vice Society has claimed credit for attacks that hit two groups of independently owned and operated Spar-branded stores earlier this month. “The gang published more than 93,000 files.”

On Dec. 6 via Twitter, Spar reported that for some of its U.K. operations, “there has been an online attack on our IT systems which is affecting stores’ ability to process card payments, meaning that a number of Spar stores are currently closed.”

No specific ransomware group was blamed for the attack. But the Vice Society ransomware group on Friday claimed credit for the hit via its data leak site, says Israeli threat intelligence firm Kela.

Specifically, Vice Society says it infected systems at James Hall & Co., which acts as the primary wholesaler to more than 600 Spar stores in the north of England, and Heron and Brearley, owner of Mannin Retail, which operates 19 Spar stores on the Isle of Man. The Isle of Man is a self-governing British Crown Dependency located in the Irish Sea between Great Britain and Northern Ireland.

spar stores ransomware
Screenshot from the Vice Society data leak site (Source: Kela)

“When browsing through files leaked by Vice Society, Kela saw documents apparently related to Spar operations, as well as to both companies mentioned in the listing,” Victoria Kivilevich, director of threat research at Kela, tells Information Security Media Group. “The gang published more than 93,000 files.”

Attack Aftermath

The naming of the victims by Vice Society, as well as the dumping of their allegedly stolen data, suggests that neither business paid a ransom to the attackers.

Heron and Brearley didn’t immediately respond to a request for comment. Multiple emails sent to James Hall & Co., for which the website continues to be offline, were returned as undeliverable.

Recommended:  Unofficial fix emerges for Windows bug abused to infect home PCs with ransomware

Britain’s National Cyber Security Center on Dec. 10 confirmed that James Hall & Co. had been attacked.

“We are aware of an incident affecting some Spar stores serviced by James Hall & Co. in the North of England and are working with partners in response,” an NCSC spokesman said at the time. “James Hall & Co. has confirmed that it is now bringing affected stores back online.”

The NCSC also urged organizations to follow its ransomware guidance “help mitigate attacks, their impact and enable effective recovery.”

More Attacks

Vice Society first launched its data leak site in May, on which it listed Indianapolis, Indiana-based Eskenazi Health, a public health provider. The same month, the group also appeared to have been behind a ransomware attack against New Zealand’s Waikato District Health Board.

cybercrime
Vice Society Site ScreenShot

Data-Leaking Ransomware Groups Continue

Vice Society is just one of a number of active ransomware groups that run data leak sites. In the past 10 days, Kela says multiple groups have listed fresh victims on their sites. The groups include Alphv – aka Blackcat, AvosLocker, AtomSilo, BlackByte, Clop, Conti, 54bb47h, Grief, Hive, LockBit, LV, Quantum, Rook, Snatch and Vice Society.

The monthly total number of victims being listed on ransomware groups’ data leak sites continues to increase. Cybersecurity firm Group-IB has reported that for the 12 months ending on June 30, the number of publicly listed initial access offers – compared to the preceding 12-month period – nearly tripled, increasing from 362 to 1,099.

That trend has been continuing, says Allan Liska, an intelligence analyst at threat intelligence firm Recorded Future. In September, he reported that the total number of monthly victims being listed across all ransomware groups’ data leak sites had hit an all-time high.

But the number of victims of ransomware groups remains unclear, in part because multiple gangs don’t run data leak sites or attempt to publicly name and shame victims. And of the ones that do, Group-IB estimates that only 13% of such groups’ victims ever get listed on a data leak site.

Recommended:  Threat Actors Are Actively Exploiting CVE-2022-1388 RCE in F5 BIG-IP

Read more related articles in the data breaches section

Bookmark
Please login to bookmarkClose
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security