Christie's stolen data sold to highest bidder rather than leaked, RansomHub claims
Experts say auctioning the auctioneer’s data is unlikely to have been genuinely successful
The cybercrims who claimed the attack on Christie's fancy themselves as auctioneers as well, after they allegedly sold off the company's data to the highest bidder instead of leaking everything on the dark web.
RansomHub set a June 3 deadline for Christie's to pay a ransom demand yet that deadline passed and the crooks' website was updated to say the data was sold to an anonymous third party for an undisclosed sum.
A spokesperson at Christie's told The Register:
"Earlier this month Christie's experienced a cybersecurity incident. We took swift action to protect our systems, including taking our website offline.
"Our investigations determined there was unauthorized access by a third party to parts of the Christie's network. They also determined that the third-party group accessed client names and, for a subset of clients, took some other personal identity information. There is no evidence that any financial or transactional records were taken, for any clients.
"The personal identity data came from identification documents, for example, passports and driving licences, provided as part of client ID checks, which Christie's is required to retain for compliance reasons. No ID photographs, signatures, email addresses, or phone numbers were taken."
Auctions of stolen data do occasionally take place following data breaches, most commonly via cybercrime forums, yet experts say there's little evidence to suggest these actually work in practice and in RansomHub's case, it most likely wasn't a "true" auction.
- Cyber cops plead for info on elusive Emotet mastermind
- New Nork-ish cyberespionage outfit uncovered after three years
- Euro cops disrupt malware droppers, seize thousands of domains
- Pretty much all the headaches at MSPs stem from cybersecurity
"Auctioning rather than leaking data is not new, but relatively rare, with little evidence that this results in a payout for the criminals," Don Smith, director of threat intelligence at Secureworks, told El Reg.
"Considering ransomware as a business, up front you expend effort, in the expectation of a later payout. If Christie's have made it clear they are not going to pay, releasing data draws a line on the incident with no benefit to the bad guys. Auctioning is a last-ditch attempt to achieve a payout. Auctions are more likely to be successful where the victim has a meaningful brand or there's some expectation the data has real value.
"It is easy to think of ransomware gangs in the abstract, the reality is these are people, with human emotions and frailties. Auctioning Christie's data may be little more than an amusing irony to the RansomHub operators."
Smith said there's also the possibility that the scale of RansomHub's theft wasn't as grand as it let on and that holding an "auction" was merely a face-saving exercise.
What happened again?
RansomHub went public on May 26 about a data theft incident that many suspected after Christie's website went down earlier in the month, which at the time it owed to a "technology security issue."
According to the criminals, they held some talks with Christie's but these allegedly broke down, which led to a sample of the stolen data being leaked online. It's a common tactic in the double extortion playbook to show victims the attackers aren't bluffing when they say they will leak stolen data if a ransom isn't paid.
It was claimed - but as yet unconfirmed - that at least 500,000 Christie's clients had their sensitive data compromised in the breach, which included full names, details about their identity documents, home addresses, and more.
RansomHub is a new cybercrime group on the scene but has quickly shown its team members aren't to be mistaken for part-timers. Since spinning up in February, the group has already landed itself a top-three spot in the ransomware group rankings (by number of attacks claimed), according to NCC Group's recent findings. ®