US-Canada water org confirms 'cybersecurity incident' after ransomware crew threatens leak

NoEscape promises 'colossal wave of problems' if IJC doesn't pay up

The International Joint Commission, a body that manages water rights along the US-Canada border, has confirmed its IT security was targeted, after a ransomware gang claimed it stole 80GB of data from the organization.

"The International Joint Commission has experienced a cybersecurity incident, and we are working with relevant organizations to investigate and resolve the situation," a spokesperson for the org told The Register.

The spokesperson declined to answer specific questions about what happened, or confirm the miscreants' data theft claims.

IJC is a cross-border water commission tasked with approving projects that affect water levels of the hundreds of lakes and rivers along the US-Canada border. It also resolves disputes over waters shared between the two countries. 

On September 7, the NoEscape ransomware crew listed IJC as a victim on its dark-web site, and claimed it breached the commission's network, and then stole and encrypted a flood of confidential data. This info, according to the crooks, included contracts and legal documents, personal details belonging to employees and members, financial and insurance information, geological files, and "much other confidential and sensitive information."

The cyber-crime gang has given the IJC ten days to respond to its ransom demand, or it may make the swiped info public. 

"If management continues to remain silent and does not take the step to negotiate with us, all data will be published," the NoEscape leak notice threatened. "We have more than 50,000 confidential files, and if they become public, a new wave of problems will be colossal. For now, we will not disclose this data or operate with it, but if you continue to lie further, you know what awaits you."

The IJC spokesperson contacted by The Register declined to comment on the ransom demand or if the commission would pay.

Who is NoEscape?

NoEscape is a ransomware-as-a-service operation that appeared in May and takes a double-extortion approach. That means instead of simply infecting victims' machines with malware, encrypting their files and demanding a ransom to release the data, the crooks first steal the files before locking them up. They threaten to leak the information, as well as withhold the decryption keys, if the victims don't pay the ransom.

NoEscape operators do not target organizations based in the former Soviet Union. This is a similar MO to other ransomware groups, such as the now-defunct Conti and Black Basta, which also avoid infecting Russian companies and government agencies.

The gang is believed to be a rebrand of Avaddon – another ransomware crew that shut down and released its decryption keys in 2021, according to Bleeping Computer.

During its brief criminal tenure to date, NoEscape has extorted the University of Hawaii, which reportedly paid the ransom; Italian technical consultancy Kreacta; Lithuania's Republican Vilnius Psychiatric Hospital; and Taiwanese electronic connector manufacturing company Avertronics, among others. ®  

Send us news

Scores of US credit unions offline after ransomware infects backend cloud outfit

Supply chain attacks: The gift that keeps on giving

Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media

Also: NXP China attack, Australia can't deliver on ransom payment ban (yet), and Justin Sun's very bad month

Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

The Russians are coming! Err, they've already infiltrated UK, US inboxes

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

Black Basta ransomware operation nets over $100M from victims in less than two years

Assumed Conti offshoot averages 7 figures for each successful attack but may have issues with, er, 'closing deals'

Europol shutters ransomware operation with kingpin arrests

A few low-level stragglers remain on the loose, but biggest fish have been hooked

BlackCat ransomware crims threaten to directly extort victim's customers

Accounting software firm Tipalti says it’s investigating alleged break-in of its systems

US readies prison cell for another Russian Trickbot developer

Hunt continues for the other elusive high-ranking members

Fancy Bear goes phishing in US, European high-value networks

GRU-linked crew going after our code warns Microsoft - Outlook not good

Hershey phishes! Crooks snarf chocolate lovers' creds

Stealing Kit Kat maker's data?! Give me a break

British Library begins contacting customers as Rhysida leaks data dump

CRM databases were accessed and library users are advised to change passwords

BlackCat claims it is behind Fidelity National Financial ransomware shakedown

One of US's largest underwriters forced to shut down a number of key systems