Canadian menswear retailer Harry Rosen has acknowledged being hit by a cyber attack last month.
This comes after the BianLian group listed the company as a victim on the gang’s site. The page lists “File server data. Projects, Marketing, HR, Public Relations,” which suggests these are files that have been copied and will potentially be released.
According to Brett Callow, a British Columbia-based threat analyst with Emsisoft, BianLian has released a 1GB file as proof of its attack. It claims the file is a list of Harry Rosen’s Gold+ clients, sales information, and various other types of documents.
In response to a query from IT World Canada, company CEO Larry Rosen sent this email on Friday morning: “We confirm that Harry Rosen was victim of a cyber attack that came to our attention on October 9th. Our network is now secure and we have been in regular communication with our customers and employees about the incident. We have also reported this to the police and to the federal privacy regulator and the privacy regulators in Alberta and Quebec.”
Asked in a follow-up to confirm that the attack was ransomware, and whether the attack affected company operations, Rosen said the retailer had no further comment.
Callow said the BianLian strain of ransomware was initially spotted in August. Little is known about this threat actor, he said, including what, if any, connections they may have to other cybercrime operations. Like most groups, Callow said, their targeting appears indiscriminate, with victims in multiple sectors including media and healthcare.
According to research from BlackBerry, BianLian ransomware, written for Windows systems in the Go language, “raises the cybercriminal bar by encrypting files with exceptional speed.”
BlackBerry believes this group targets corporations rather than specific countries. As of the time of the report, the listed victims on the gang’s site were in the United States, Australia, and the United Kingdom.
In the sample of the ransomware that BlackBerry looked at, the author packaged all the ransomware’s functionalities into a common package. Upon execution of the file, the application searches the host machine for all possible drive names. Once all the drives are populated with malware, the threat begins its ransom process. The ransomware encrypts files using the standard library crypto package in Go. These packages are open-source libraries used to provide cryptographic functionality, like the base CryptoAPI provided in Windows environments.
The ransomware targets any drive found on the system, including mounted drives, and encrypts anything that is not an executable, driver, or text file. These exclusions are meant to avoid encrypting either the ransom note, or anything that might cause the system to malfunction.
BlackBerry noted that research from another firm suggests the BianLian threat group’s initial access is likely gained via the Windows ProxyShell vulnerability chain or a SonicWall VPN firmware vulnerability. From there, the threat actor moves laterally to find targets of interest, escalates their privileges, and deploys the BianLian ransomware. Then, using dropped copies of WinSCP and 7-Zip to archive and transfer chosen files, data is extracted and sent back to the threat actor. Additionally, threat operators might install backdoors on the systems to maintain access to the infected system.
Founded in 1954, Harry Rosen is an upscale menswear chain with five stores in Toronto, as well as stores in B.C., Alberta, Quebec and Manitoba.
According to Digital Commerce, the company had sales of $300 million in 2020.