Ransomware crew dumps stolen Optionis files online

What appears to be stolen data belonging to customers of accounting conglomerate Optionis Group has surfaced on the dark web weeks after the firm confirmed intruders had broken into its systems.

Optionis Group houses brands including Parasol Group, Clearsky, SJD Accounting and NixonWilliams.

The Vice Society ransomware gang dumped what appears to be thousands of files onto their dark web blog as downloadable links, as seen by The Register.

The vast cache was published shortly before Optionis Group, which also houses an umbrella company popular with tech contractors alongside its accounting businesses, emailed its tech contractor customers saying "some data belonging to Optionis was copied from our system."

Although we can't publish a screenshot here because doing so would expose filenames which themselves refer to sensitive data, The Reg has seen spreadsheets with names suggesting they contain the management accounts of some customers' companies. Other files appear to be timesheets for contractors, as well as letters to and from HM Revenue and Customs discussing customers' tax status.

"These types of attacks can have far-reaching effects, resulting in numerous freelancers not being paid, or companies being unable to pay employees on time. Clearly, the knock-on effects of this are employees suffering the consequences and potentially not being able to pay for essential living costs," said infosec firm Cyjax in a client note addressing the breach.

Several contractors that we spoke to who use the payroll services provided by Parasol, the umbrella company in Optionis, told us they had only been partially paid for freelance work undertaken in January.

Vice Society previously hit the public radar after targeting the Spar supermarket chain, triggering a wave of shutdowns. Cisco Talos, in a blog post last summer, described the crew as targeting American schools and similar educational institutions. The threat intel business noted that Vice Society tended to target VMware ESXi virtualization servers, as well as using the PrintNightmare Windows spooler vuln.

• Spar shops across northern England shut after cyber attack hits payment processing abilities
• Vice Society said to be behind digital break-in at UK umbrella and accounting group
• UK, US, Australia issue joint advisory: Ransomware-as-a-service on the loose, critical national infrastructure affected
• Azure Site Recovery points now live for 15 days in case undetonated ransomware lurks

The dumping of contractors' data online is the usual step when a targeted organisation refuses to pay a ransom, in what experts have dubbed the "double extortion" ransomware method. In this model, not only are an organisation's files encrypted so the crims can demand payment for the decryptor, but files are exfiltrated – allowing the crooks to demand a second ransom to prevent their publication.

Optionis previously claimed to have 13,000 contractors on its books. The accounting firm was breached back in January, as it said after discovering "unauthorised activity" on its networks and pulling the plug.

Optionis did not respond to The Register's request for comment, but we will update this article when it does. We have asked the ICO to comment. ®