Details of the attack obtained by Computer Weekly’s sister title LeMagIT reveal that Conti has exfiltrated about 1.7TB of JVCKenwood’s data, including personally identifiable information (PII) on its staffers, some of which was provided to the company as proof of the attack.
The Conti gang is demanding a ransom of $7m (£5.2m/€6m) and claims to have stolen data on JVCKenwood customers and suppliers, and information relating to its legal, financial, HR, IT, audit and compliance functions. This includes personal documents, phone numbers, contact details, and payroll and banking statements.
However, at the time of writing, discussions between a JVCKenwood representative and Conti’s negotiator appeared to have ground to a halt, which may be a suggestion that the firm will refuse to pay a ransom.
As has been commonly observed in its other Conti attacks, the crew continues to act as if it is providing a legitimate penetration testing and security audit service. In screengrabs of the negotiations seen by Computer Weekly, it said: “Fortunately, Conti is here to prevent any further damages.”
The crew goes on to offer damage prevention and mitigation services, and warns the victim that if it does leak their information, their data will be abused by dark web cyber criminals for their own “evil purposes”.
The ransom note goes on to warn that the attack will result in legal, regulatory and reputational consequences.
It adds: “There is no way that we will not fulfil our promises after you pay. The chances that hell will freeze are higher than us misleading our customers.”
In an official statement, JVCKenwood said that it detected unauthorised access to servers located in Europe on 22 September 2021.
“It was found that there was a possibility of information leak by the third party who made the unauthorised access,” said a company spokesperson.
“Currently, a detailed investigation is being conducted by the specialised agency outside the company in collaboration with the relevant authorities. No customer data leak has been confirmed at this time.
“JVCKenwood takes this incident very seriously, and sincerely regrets the inconvenience it may cause.”
Described by Palo Alto Networks’ Unit 42 team as one of the more ruthless extant ransomware gangs, Conti has been around for over a year and has made substantial sums by extorting victims such as hospitals, for whom IT disruption could prove life-threatening. In May, the gang attacked Ireland’s Health Service Executive in a $19.9m attack that continues to affect services nearly six months later.
Counter to the gang’s feelings on the matter, Unit 42 also describes Conti as unreliable. “We’ve seen the group stiff victims who pay ransoms, expecting to be able to recover their data,” wrote Richard Hickman, a senior incident response consultant at the firm.
A recent leak of information on the Conti operation, supposedly by a disgruntled affiliate, revealed further insight into how the group goes about reconnoitring and compromising its victims, including information on commonly unpatched vulnerabilities that it has had particular success at exploiting, such as PrintNightmare, ZeroLogon and EternalBlue. Further information on Conti is available from the US Cyber Security and Infrastructure Security Agency.