Share this article on:
An affiliate of the Medusa ransomware gang has targeted the Sydney food services firm for a second time this month.
Despite having fallen victim to a Medusa ransomware affiliate earlier this month, the North Sydney-based Compass Group has been listed for a second time on the gang’s dark web leak site.
According to a post made late on the evening of 18 September, an affiliate (it is unknown if it was the same one or a second actor) was able to exfiltrate another tranche of data.
“Our affiliate entered this poor network this morning and messed the computers again!” the post said.
While 785.5 gigabytes of data was claimed to have been exfiltrated during the first attack, which likely took place on or before 4 September, this time, the affiliate has not listed the amount of data stolen. However, a screenshot of the impacted machine’s file system suggests that more than one terabyte of data could have been impacted in this second attack, and a file tree of the data contains more than 170,000 lines of records.
Included in the file tree are dozens of passports and other ID documents, medical certificates, salary details, and other employee data. There does seem to be some overlap with the dataset exfiltrated in the first incident, though how much is difficult to determine.
The ransom demanded for the first lot of data was $2 million, but the ransom for this second incident is $100,000, which may also suggest a degree of overlap as the data is already compromised and, therefore, not as valuable.
Compass Group Australia confirmed it was aware of the second incident.
“The investigation is ongoing, and we are continuing to work closely with leading global cyber security experts, specialist legal counsel and regulatory authorities,” a Compass Group spokesperson told Cyber Daily on 20 September.
“Yesterday, our security measures detected unauthorised activity on a server recently brought back online. In line with our security protocols, we disabled that system and contained the threat.
“Our priority is to ensure the ongoing security and stability of our systems and to provide support to those individuals whose high-risk information has been impacted.”
The spokesperson added that the company is progressing in the analysis of the data that was stolen, and it has begun notifying people with “high-risk” data exposure.
“We sincerely apologise for any impact on our employees, clients, or suppliers,” the spokesperson said.
“We have put in place a range of support measures for those who have been affected, including access to external professional support and advice on the precautionary measures people can take to safeguard their personal information.
“We will continue to update our employees, clients and suppliers as more details become available.”
Shannon Sedgwick – partner, national cyber security practice, at MinterEllison Consulting – said that while being hit a second time is not uncommon, it is unfortunate.
“Medusa is a ransomware-as-a-service (RaaS) group that employs living-off-the-land techniques by using legitimate software tools for malicious purposes, which are difficult to detect when viewed alongside regular network traffic because it mimics normal behaviour,” Sedgwick told Cyber Daily.
“Medusa are adept at evading detection by security teams and maintaining persistence in victim networks post-discovery by using remote management and monitoring tools to remotely execute a payload and install vulnerable drivers to impair defences by shutting down the likes of Microsoft Defender. They also move laterally across networks by modifying registry keys and creating scheduled tasks.”
“Secondary attacks where a threat actor maintains persistence highlight the importance of ensuring malware is removed from infected systems and organisations restore from verified and tested, clean backups. Likewise, segmentation of networks and limiting of connections to critical systems to reduce the attack surface for both discovery and lateral movement incident stages, and patching software to fix vulnerabilities as Medusa typically breach their victims’ networks through vulnerable public-facing services.”
The Compass Group is a subsidiary of the UK-based firm of the same name, and according to the Australian company’s website, it is “Australia’s largest food and support services company”.
The company employs 13,000 people and provides food services to companies in the education, mining, and defence sectors, as well as to hospitals and aged-care facilities.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.