Amazon recently purchased Ring, a Santa Monica-based home security company. Ring has become one of the most sought-after smart devices on the market with cameras, video doorbells and alarms among its range. Recently Amazon owned ring suffers ransomware attack.
Neighbors is a social media app that allows users to share footage from their camera with people in their community. Civil rights groups have condemned the app for invading privacy and increasing racial profiling.
Russia-linked ransomware gang ALPHV claims to have breached Ring
Ring is one of the most successful malware-as-a-service (MaaS) companies on the market, yet it appears to have been breached by a Russian ransomware gang. According to cybersecurity researcher Ionut Ilascu’s blog post on Tuesday, 40 Ring customers’ systems and files had been encrypted by these attackers.
These attacks follow a familiar pattern: an attacker breaches a victim’s network, steals data and demands payment before encrypting all files. They then threaten to release stolen information if they don’t get paid; in some cases they even use double-extortion tactics by demanding more money than what victims are willing to part with.
Security researchers have identified ALPHV (also known as BlackCat) as a new ransomware-as-a-service (RaaS) group that has been advertising the malware on two underground cybercrime forums since early December. Those who join receive a copy of ALPHV ransomware which they can use to encrypt remote Windows machines and earn between 80% and 90% of any final ransom payment received from victims.
MalwareHunterTeam has reported that the gang is still in its early stages, having only made a few victims thus far. Security analysts are warning of possible parallels between this ransomware operation and other major ransomware operations in that it engages in double-extortion by siphoning off data then demanding more than its victims are willing to pay.
In addition, the preferred initial entry vector of this gang remains unknown; however, once they breach a network they search and steal data before encrypting all local devices. In some instances they also employ an exploit to compromise a vulnerable server.
Ransomware remains a serious threat to businesses and critical infrastructure worldwide, despite its recent success. This threat has grown exponentially in the last few years, impacting organizations of all sizes and sectors alike.
Mandiant recently identified a highly sophisticated ransomware gang that is rapidly encrypting networks and demanding payments in exchange for ransom keys. They are targeting various sectors and industries, from pharmaceuticals and biotech to financial services.
Ring denies the attack
Amazon-owned Ring is one of the most widely used home security cameras and doorbells available, making it a prime target for ransomware gangs. Customers can expect their devices to contain sensitive personal information like their address, phone number, and financial info stored on them.
Recently, Ring has come under fire for its data collection practices. Privacy advocates contend that the company has violated users’ privacy by sharing sensitive information with advertisers and collecting data from other security camera brands for its own use.
Contrary to these allegations, the company has denied any data breach occurred. Instead, it states that a third-party vendor suffered a cyber attack but has not yet received any customer data.
However, malware and source code collection vx-underground reported that ransomware group ALPHV (also known as BlackCat) had posted a message on their website saying Ring had suffered a cyber attack. In the message, ALPHV threatened to release the data if the company failed to pay the ransom demanded.
Ransomware groups have previously threatened to leak data. LockBit, for instance, recently released a 44GB cache of Royal Mail’s encrypted files which had been encrypted by their malware.
Uncertainty remains regarding what kind of data this ransomware gang may have stolen from Ring, but it appears they have access to a large number of customer accounts and could possibly possess copies of user-uploaded footage. According to Jordan Schroeder, managing CISO at cybersecurity firm Barrier Networks, such an incident would be “highly worrying”.
The ransomware group’s method of claiming to have breached Ring is typical of their double extortion tactics, in which they encrypt victims’ data and then publish an exfiltrated copy online. This strategy has become a go-to choice for ransomware groups; for example, LockBit’s 44GB leak of Royal Mail’s data proved popular.
The company has stated it is engaged with the vendor who suffered the attack to determine if Ring’s data has been compromised. If so, the company will notify its customers as soon as possible.
ALPHV extorts Ring’s customers
An extortion gang known as ALPHV claims to have breached Ring’s security in a ransomware attack and threatened its data leakage. While it’s possible the group may have accessed video footage from cameras, this would be highly unusual as Ring devices use end-to-end encryption to prevent this sort of activity.
Varonis Threat Labs has determined that this extortion gang is affiliated with the REvil group that was arrested by Russian law enforcement last year. They have been targeting organizations across various sectors worldwide since late 2021.
They utilize a ransomware-as-a-service (RaaS) model, where they offer malware code and infrastructure to affiliate groups who infect victims. Furthermore, they have been employing the double extortion method, whereby they extract data from victims before trying to encrypt it.
The threat actor typically creates a customized ransomware executable for each target, taking into account factors like encryption performance and victim credentials. They may choose to encrypt all files or just some of them, and may include embedded victim credentials for automated propagation to other servers.
This group, operating out of Russia, has been targeting organizations throughout Europe and the U.S. Its ransomware-as-a-service operation has been observed by multiple vendors and security firms, such as Microsoft.
This threat has been observed to operate primarily on Linux and Windows platforms, with the potential to infect more than 20 organizations as of January 2022. It employs various extortion techniques while creating a searchable database of victims who don’t pay their debts which it makes accessible to affiliated parties.
In order to combat this ransomware gang, users and administrators must take precautions and update their systems and software. Furthermore, they should avoid sharing passwords or storing credentials in plain text.
If you believe your data was stolen by a ransomware gang, it is time to seek legal counsel. Even without legal representation, filing a class-action lawsuit against the company responsible could bring money damages for those affected and force the perpetrators to apologize to victims.
What is Ring’s response?
Amazon-owned Ring manufactures video doorbells and security cameras used in millions of homes worldwide. Their products boast cloud recording, advanced motion detection, a built-in battery life, as well as a mobile app to let users view visitors and speak directly with them.
Ring has long been known for producing some of the world’s most sought-after security cameras, yet has unfortunately experienced numerous incidents where hackers were able to access customers’ accounts and view recordings without authorization. Nevertheless, Ring has recently upgraded their security practices in an effort to combat this risk.
This week, a ransomware gang claimed to have breached Ring. They are threatening to release data they claim was stolen from the company in public.
Motherboard reports that an organized crime group known as “ALPHV,” known for its long history of BlackCat attacks, added Ring to its data leak site earlier on Monday. VX Underground tweeted a screenshot of the page shortly thereafter.
ALPHV is a Russia-linked extortion gang that offers ransomware as a service. It usually locks victims’ files and then posts them on its extortion website, along with an extensive database of unpaid victims.
ALPHV’s website boasts a wealth of hacked data, but the group stands out by making their information more accessible to the public. A section called “Collections” on their extortion website displays all of this collected info along with an easy search function for anyone interested in uncovering what has been stolen from them.
If the ransomware gang succeeds in hacking Ring, they will gain access to customer records that could be worth a lot of money. However, the company has stated that the vendor breached by this ransomware group is not a Ring customer and does not possess any of their user data.
In response to SecurityWeek’s inquiry, Ring confirmed that it was aware of a third-party vendor that had suffered a ransomware attack but could not confirm whether or not they had access to any customers’ data. Furthermore, Vice reported that although not directly affected by the ransomware attack, they would be working with their vendors in order to identify what occurred.
