iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The Australian arm of a Japanese dairy company confirms hack by a newcomer ransomware operation, limited employee data compromised.
Australian dairy supplier Snow Brand Australia has confirmed it was the victim of a recent ransomware attack by the SafePay ransomware gang.
Snow Brand was listed on the gang’s darknet leak site sometime in the last week, alongside 23 other victims. The gang appears to be a new operation, possibly based in Russia.
SafePay’s leak site is very minimal, simply listing each victim, their revenue, and where it has been published, leaks to the stolen data and file listings.
In Snow Brand’s case, the gang has published an archived dataset of almost 24 gigabytes in size. According to the file listing, it’s largely financial data such as invoices, purchase orders, and details of the company’s business with various retail partners, such as the Romeo’s Retail Group.
Also included are some employee data, such as medical certificates, superannuation details, and Medicare applications.
Snow Brand Australia has confirmed the incident.
“Snow Brand recently experienced a cyber incident where unusual activity was detected on our network,” a Snow Brand spokesperson told Cyber Daily.
“We acted immediately to secure our network and initiate an investigation to understand what happened, including any impact to information.”
The Australian Cyber Security Centre and the Office of the Australian Information Commissioner have been notified of the incident, and the company has been in communication with individuals impacted by the data breach.
“We otherwise confirm our systems are secure, and Snow Brand remains fully operational,” the spokesperson said.
SafePay is a new ransomware operation, with Snow Brand being one of its first victims. According to research by cyber security firm Huntress, SafePay only began operating within the last couple of months. As part of its ransomware attacks, the gang first checks for systems whose default language uses some form of Cyrillic characters, in which case the attack is aborted, suggesting the gang is based somewhere in Eastern Europe, possibly Russia.
Huntress has tracked two specific SafePay incidents, and in both, “the threat actor’s activity was found to originate from a VPN gateway or portal, as all observed IP addresses assigned to threat actor workstations were within the internal range”.
“The threat actor was able to use valid credentials to access customer endpoints and was not observed enabling RDP, nor creating new user accounts, nor creating any other persistence,” Huntress researchers said in a 14 November blog post.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
