SkÃ³rzewiak - stock.adobe.com
The incident is currently neither confirmed nor denied by Sony, although Computer Weekly understands the organisation is aware of the claims.
According to screenshots pulled from the gang’s leak site, the operation has compromised “all of sony systems [sic]”.
In a poorly worded threat, a Ransomed.vc representative wrote that the gang did not plan to ransom the corporation but rather intended to sell the data.
They said this was due to Sony not wanting to pay, suggesting there has been some contact between the cyber criminals and their victim.
The group also posted a file tree of the alleged data leak, although this appears to be under 6,000 files. It has not made any public ransom demand.
The attack does not appear to have involved the deployment of any ransomware locker on Sony’s systems, which is now a common enough tactic among cyber extortion gangs, as demonstrated by Clop’s MOVEit attacks.
Little known threat actor
Little is known about Ransomed.vc in regard to their location, TTPs, or whether or not they have compromised anybody. The group has only been active a short while, although it may have links to older operations.
In common with many modern-day cyber crime rings, the gang views its activity not as malicious cyber intrusions, but as legitimate red team-style activity.
On their leak site, they state: “We offer a secure solution for addressing data security vulnerabilities within companies. As penetration testers, we seek compensation for our professional services.
“Our operations are conducted in strict compliance with GDPR and Data Privacy Laws. In cases where payment is not received, we are obligated to report a Data Privacy Law violation to the GDPR agency.”
“So far, we only have the attacker’s word that they’ve compromised Sony, and we should be cautious about believing them. Ransomware gangs boast and brag, and their relationship with the truth isn’t monogamous,” said Mark Stockley of Malwarebytes.
“Like many ransomware gangs, RansomedVC describe themselves as ‘penetration testers’, which is as laughable as it is deluded.”
Read more about cyber extortion
- Cyber breaches that saw data theft and extortion without an encryption or ransomware component account for more and more incidents.
- A court has ruled that Arion Kurtaj, allegedly a key player in the Lapsus$ cyber extortion syndicate, was responsible for the group’s year-long campaign of cyber attacks.
- The Clop cyber extortion gang may have been keeping the MOVEit SQL injection vulnerability they used to penetrate the systems of multiple victims secret for two years.
Barrier Networks chief technology officer Ryan McConechy said: “Ransomed.vc may be less known than major ransomware gangs like Cl0p or BlackCat, but when looking at the group’s history, they are responsible for a string of attacks on financial organisations, data providers and managed IT companies.
“Furthermore, making false announcements on victims is something ransomware gangs avoid as it damages their reputations and profitability opportunities, so there is a strong possibility the claims are genuine, which means they must be investigated thoroughly,” he said.
“If the incident has taken place, it once again highlights the powerless position organisations are placed in when infected by ransomware,” said McConechy. “Regardless of whether the organisation’s data is encrypted and held hostage, or stolen and put up for sale, it’s the attackers that have the power. This means organisations must prioritise defences before attacks occur.”
Stockley and others additionally noted the group’s apparent familiarity with the EU and UK General Data Protection Regulations (GDPR).
Other ransomware and extortion crews have made not dissimilar claims in the past, and many are known to leverage the threat of regulatory action under the GDPR when negotiating with victims in Europe – such tactics were ineffectively used on Royal Mail by LockBit during their failed attempts to extract a £60m-plus ransom earlier in 2023.