April 5, 2021

Some of the top ransomware gangs are deploying a new pressure tactic to push more victim organizations into paying an extortion demand: Emailing the victim’s customers and partners directly, warning that their data will be leaked to the dark web unless they can convince the victim firm to pay up.

This letter is from the Clop ransomware gang, putting pressure on a recent victim named on Clop’s dark web shaming site.

“Good day! If you received this letter, you are a customer, buyer, partner or employee of [victim],” the missive reads. “The company has been hacked, data has been stolen and will soon be released as the company refuses to protect its peoples’ data.”

“We inform you that information about you will be published on the darknet [link to dark web victim shaming page] if the company does not contact us,” the message concludes. “Call or write to this store and ask to protect your privacy!!!!”

The message above was sent to a customer of RaceTrac Petroleum, an Atlanta company that operates more than 650 retail gasoline convenience stores in 12 southeastern states. The person who shared that screenshot above isn’t a distributor or partner of RaceTrac, but they said they are a RaceTrac rewards member, so the company definitely has their email address and other information.

Several gigabytes of the company’s files — including employee tax and financial records — have been posted to the victim shaming site for the Clop ransomware gang.

In response to questions from KrebsOnSecurity, RaceTrac said it was recently impacted by a security incident affecting one of its third-party service providers, Accellion Inc.

For the past few months, attackers have been exploiting a a zero-day vulnerability in Accellion File Transfer Appliance (FTA) software, a flaw that has been seized upon by Clop to break into dozens of other major companies like oil giant Shell and security firm Qualys.

“By exploiting a previously undetected software vulnerability, unauthorized parties were able to access a subset of RaceTrac data stored in the Accellion File Transfer Service, including email addresses and first names of some of our RaceTrac Rewards Loyalty users,” the company wrote. “This incident was limited to the aforementioned Accellion services and did not impact RaceTrac’s corporate network. The systems used for processing guest credit, debit and RaceTrac Rewards transactions were not impacted.”

The same extortion pressure email has been going out to people associated with the University of California, which was one of several large U.S. universities that got hit with Clop ransomware recently. Most of those university ransomware incidents appeared to be tied to attacks on attacks on the same Accellion vulnerability, and the company has acknowledged roughly a third of its customers on that appliance got compromised as a result.

Clop is one of several ransom gangs that will demand two ransoms: One for a digital key needed to unlock computers and data from file encryption, and a second to avoid having stolen data published or sold online. That means even victims who opt not to pay to get their files and servers back still have to decide whether to pay the second ransom to protect the privacy of their customers.

As I noted in Why Paying to Delete Stolen Data is Bonkers, leaving aside the notion that victims might have any real expectation the attackers will actually destroy the stolen data, new research suggests a fair number of victims who do pay up may see some or all of the stolen data published anyway.

The email in the screenshot above differs slightly from those covered last week by Bleeping Computer, which was the first to spot the new victim notification wrinkle. Those emails say that the recipient is being contacted as they are a customer of the store, and their personal data, including phone numbers, email addresses, and credit card information, will soon be published if the store does not pay a ransom, writes Lawrence Abrams.

“Perhaps you bought something there and left your personal data. Such as phone, email, address, credit card information and social security number,” the Clop gang states in the email.

Fabian Wosar, chief technology officer at computer security firm Emsisoft, said the direct appeals to victim customers is a natural extension of other advertising efforts by the ransomware gangs, which recently included using hacked Facebook accounts to post victim shaming advertisements.

Wosar said Clop isn’t the only ransomware gang emailing victim customers.

“Clop likes to do it and I think REvil started as well,” Wosar said.

Earlier this month, Bleeping Computer reported that the REvil ransomware operation was planning on launching crippling distributed denial of service (DDoS) attacks against victims, or making VOIP calls to victims’ customers to apply further pressure.

“Sadly, regardless of whether a ransom is paid, consumers whose data has been stolen are still at risk as there is no way of knowing if ransomware gangs delete the data as they promise,” Abrams wrote.

10 thoughts on “Ransom Gangs Emailing Victim Customers for Leverage

  1. Gary

    Hmmh is there no way to see what has been posted on the new version of krebsonsecurity.com?

    Apologies in advance if this has been asked already. Is the breached program something like sftp or rsync? If so, why not use open source software?

    1. Brian Fiori (AKA The Dean)

      I see your post. So not sure what you are asking. I don’t like the new look, but that’s just me. Content still there and that’s what matters, IMO.

  2. B Wayne

    I received one of these RaceTrac emails on 3/30/2021. Their third party let their customers know about the initial attack on on 12/23/2020.

    Having a breach is bad. Having the hackers notify your customers three months later, before you do, makes it far worse.

    You also don’t get to blame the third-party file transfer service is they are able to use that vulnerability to get unencrypted customer data.

  3. Catwhisperer

    We have to accept that we live in a zero trust world and act accordingly with all of our data…

    1. Robert

      Krebs said it well, “Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold [and often a combination of the above] — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.”

      That is why I am very stingy with what I divulge. I will even submit false data if they give me a hard time about it. On the plus side, it does have a benefit. When traveling, if you go to a store that requires a loyalty card, ask if they will take a phone number. I haven’t seen one that doesn’t yet. Then figure out the local area code and add 867-5309 to it as “your” number. Hasn’t failed yet to work. I get the discount and they don’t get my info, plus I may make someone else’s info worth less.

      1. tmarin

        Clever way to handle this.
        Is your name Tommy TuTone ? and does Jenny know you are using her number?

  4. The Sunshine State

    We have RaceTrac convenience stores down here in the good old Sunshine State just around the corner from the speedway !

  5. HVargas

    Great article Brian, I believe the category of the article (The Comming Storm) also gives an idea of the magnitude of the issue. But the storm might be upon us already, we just don’t have the visibility to see it unfolding.

  6. Walt99

    This technique has been used for decades to influence people to write to elected officials on controversial topics..

  7. Rubén

    Great article Brian, this is one of the most common blackmailing techniques. With the pandemic hacking of home workers has increased.

Comments are closed.