A ransomware gang that claims to have hit Parkland Corp., a multi-million dollar publicly-traded Calgary energy firm, has begun publishing what it says is copied data from the company, including a photocopy of one of the directors’ passports.
A Parkland spokesperson wouldn’t confirm the cyber incident it suffered Nov. 14 was ransomware, but this week the gang behind the Clop ransomware began publishing stolen data.
It was the latest in a series of recent ransomware-related incidents that includes:
- Metro Vancouver’s public transit system, which as of Friday was still recovering and had to issue salaries to staff without deductions to cope with systems compromised by the attack.
- The sudden release of stolen files from a northern Ontario first nations band by a ransomware gang that were apparently taken in an attack in May.
- And an unconfirmed attack on a Guelph, Ont., based firm that does clinical trials. The Egregor ransomware group’s website says that firm has been struck. The company’s website was offline Friday morning.
Parkland is an energy retailer and distribution firm with 2019 revenues of about $18 billion that operates gas stations and sells commercial fuel products in Canada, the U.S. and the Caribbean. This week it announced it had bought the assets of a Montana-based fuel company and an Arizona-baed fuel distributor.
In a statement this afternoon Parkland wouldn’t confirm it was a ransomware attack. It said that on Nov. 14 it detected suspicious activity involving unauthorized access to a subset of its Canadian IT network.
Asked for comment Friday about the Clop listing of Parkland as a victim, Simon Scott, the company’s director of communications said its IT system detected what he called “suspicious activity involving unauthorized access to a subset of our Canadian network,” on Nov. 14. He would not confirm it was a ransomware attack.
“We have extensive procedures and protocols in place and took immediate action. We retained external experts, initiated an investigation and temporarily took some of our Canadian applications offline; all of which are back in operation. We continued to safely meet the needs of our customers and have kept them informed throughout.
“To date, while we know there has been unauthorized access to some information, our investigation has not identified evidence of access to our core customer, or employee systems. As the investigation continues, we will notify any stakeholder that may have been directly affected.”
However, after that statement, IT World Canada became aware that the Clop website had begun publishing what it said was 500MB of data. A threat researcher for an IT security firm said it appears to include files on refinery operations as well as a photocopy of one of the directors’ passport.
Scott couldn’t be reached late Friday for comment on this latest development.
Meanwhile, the Nipissing First Nation issued a statement confirming that data stolen in the May ransomware attack had last week been posted to the dark web. This came after IT World Canada told the band last Friday a security researcher spotted the folders on the web site of the DoppelPaymer ransomware group.
Documents in the folders include included the names, home addresses, dates of birth, social insurance numbers and other information on band members. The First Nation has a registered population of 2,909 members, 916 of whom reside on the reserve near North Bay, Ont.
“We continue to work with the cybersecurity firm we engaged following the ransomware attack in May to investigate this new report and take action to protect our community members, staff and stakeholders,” the statement said. “We have confirmed that the information posted is from the May 2020 Ransomware Attack, which has already been resolved. There is no evidence of a new attack on our I.T. systems based on extensive scans and diagnostic testing.”
First Nation members were urged to sign up for free credit monitoring offered by a credit agency, and to monitor their bank and credit card accounts for suspicious activity.
Since the ransomware attack in May, the organization said it has updated its IT infrastructure “to make it as modern and secure as possible,” including switching to Office 365 software so data doesn’t have to be stored locally. Staff have been trained in best practices to protect personal information.
Brett Callow, a British Columbia-based threat researcher with Emsisoft, said most data dumps occur shortly after the attack when negotiations fail. However, sometimes groups have posted data weeks or even months after the attack. “Why this should be is impossible to say, but there are a number of possible reasons. First, it could be that the group spent time attempting to find a buyer for the information prior to making it public – at least one group claims to only publish information it cannot sell. Second, it could simply be the case that the group didn’t have the time to publish the data or even forgot about it. Third, it could have been a very protracted negotiation, possibly with payment being promised at some future date.”
TransLink, which runs Metro Vancouver’s bus, rail and ferry services serving 500,000 customers each day, was hit on Monday. On Thursday evening CEO Kevin Desmond put out a statement on Twitter acknowledging the cyber incident was ransomware on some of the system’s IT infrastructure.
“Upon detection, we took immediate steps to isolate and shut down key IT assets and systems in order to contain the threat and reduce the impact on our operations and infrastructure. We are now working to resume operations as quickly and as safely as possible.
“Customers can once again use and debit and credit cards at Compass vending machines and Tap to Pay fare gates. Customers who recently purchased monthly passes or stored value will soon see the credit loaded onto their Compass Cards. All transit services continue to run regularly and no transit safety systems are affected.”
According to Global News, the transit system’s payroll operations were impacted, and as a result, while employees will still be paid, it will be a cash advance at 65 per cent of what they would normally get including deductions. With the deductions factored out, it would come close to their regular pay. The missing deductions will be made up later. The news service said that for a time TransLink phones were down, the radio system on buses was out for more than 24 hours, drivers couldn’t access an online portal for employees, and some tasks were being done manually.
Global News also said it had seen a ransomware note from the attackers stating data had been copied and would be released unless they were contacted. The news service said it has been told TransLink won’t pay a ransom and that the ransom note includes instructions to contact the website of the Egregor ransomware gang. According to security researchers, Egregor has taken the place of the Maze gang, which announced in late October that it was shutting down.