Hackers want €5,000 for hacked PN data before Thursday deadline

Hackers holding the Nationalist Party to ransom ask for €5,000 from the party

Hackers holding the Nationalist Party to ransom in order not to publish data seized from a computer system, are asking for €5,000 from the party.

Posting on their dark web page last Monday, the operators behind the Avaddon ransomware, published a number of documents that include PN employees’ details, passport pictures and TV studio rota and wage details.

The party was given 240 hours to pay the ransom demanded, after which the hacker group said it will dump all the data hacked from the PN onto its dark web site, for anyone to see and download. That deadline expires at 5.30am on Thursday.

And although the Avaddon ransomware used to hack the PN is the creation of an international hacking gang, the probability is that the attack could have been carried out by an affiliate rather than the group itself, even one based in Malta.

Anyone with access to the dark web can sign up as an Avvadon affiliate, to receive a personalised version of the ransomware, linked to a unique affiliate ID, and then share any ill-gained profits with the group if a target pays the ransom.

Sources told MaltaToday the police are looking at the possibility that the PN attack was the work of a local affiliate, although tracking activity could be difficult, especially if the attackers know their way around the dark web and how to cover their tracks.

PN secretary-general Francis Zammit Dimech, while not confirming the €5,000 ransom amount, insisted that the party would not negotiate with the hackers. “We are not making any contact with Avvadon and we refuse to make any such contact or to enter into any negotiations with criminals,” he said.

Zammit Dimech said the party was still assessing the full extent to which its data had been compromised. 

Documents released so far by Avaddon include a spreadsheet appearing to show payroll details for Media.link productions in 2014, the ID card, passport and bank details of a woman from St Julian’s, and a letter welcoming a new member to party. Personal details, including ID numbers, addresses, bank account numbers, mobile numbers and other information are left uncensored.

The cyber criminals also warned that if their demands are not met, they would be carrying out a DDoS attack – denial of service – which would take the PN’s website offline due to overwhelming traffic caused by the hackers.

A magisterial inquiry by Victor Axiak is underway, and police have visited the party’s headquarters as part of their investigation. The PN also brought in IT experts to mitigate the effect of the data hack. But it has not asked the government for the assistance of MITA, the government’s information technology agency.

“The party is proactively co-operating with the police and with the court-appointed IT expert in the investigation being carried out at the party’s own instigation and is following all advice that the police are extending to the party on this issue,” Zammit Dimech told this newspaper. “The advice relates to enhanced levels of security on the Party’s IT systems.”

Zammit Dimech also revealed that the PN was informed that a number of local companies had also been targeted by Avaddon. At present, there are no Maltese companies or organization listed on the Avvadon dump site, except for the PN.

Zammit Dimech acknowledged the damage caused by the hack but noted that such attacks were, sadly, becoming more common. “People experience hacking of their personal WhatsApp and Facebook accounts and we have also seen large entities – including a well-established bank and a Malta Government public entity – that were hacked or had much of their data wiped clean and then had to be rebuilt from scratch,” he said. “Ultimately we need to be united against this form of terrorism and criminality that can affect us all.”

How Avaddon ransomware works

Security experts believe the gang behind Avaddon ransomware created the dedicated leaking site on the dark web in August 2020, when the group announced their data-leaking site via a Russian-language cybercrime forum. 

So far, the ransomware gang has dumped the data of 62 firms and entities from across the world. The data dumps range from 100MB to over 70GB, as in the case of Groupe Qualinet Inc, a Canadian disaster cleaning franchise. Data revealed includes contracts, employee details, emails, banks and payments details and more.

Also listed are 30 other companies, organisations and local authorities – including the PN in Malta – who are currently being held up for ransom.

The group behind Avaddon has also been recruiting new affiliates: attackers who receive a personalised version of the ransomware tied to a unique affiliate ID, then share profits with the operators whenever a victim pays a ransom. Based on the gang’s posts, it appears to be recruiting affiliates who know how to obtain and use stolen or brute-forced remote desktop protocol or other remote-access credentials for gaining access to targeted networks.

Avaddon first spotted in June 2020

Avaddon was first spotted in early June, and was quickly flagged by researchers and web security portals.

The ransomware ‘encrypts’ user data, which forces the victim to pay the ransom and decrypt the files to be able to access them again.

A Trojan is used to trick victims into executing a JavaScript that downloads the ransomware and executes it.

In July 2020, Microsoft’s security intelligence group warned Avaddon was also using Microsoft Excel spreadsheets with malicious macros to spread the ransomware, potentially via targeted attacks. When run, the malicious macro downloads the Avaddon ransomware.

Another Avaddon campaign involved photo-themed emails, with an attached zip file that contained a malicious JavaScript file to run the ransomware payload, which encrypts the files with an .avdn file extension.

Like many types of malware, Avaddon is programmed to terminate itself if it finds that the Windows Locale ID is set to 419 (Russia) or 422 (Ukraine), or if the keyboard layout is set to 419 (Russia), 422 (Ukraine), 444 (Tatar) or 485 (Yukut, Russia).

Avaddon’s aversion to infecting Russians may reflect this cybercrime reality. Russian authorities typically turn a blind eye to online crime committed by citizens, provided they target foreigners, in part because the country’s legal statutes have historically made such activity difficult to prosecute. But authorities have not hesitated to crack down on Russians who steal from Russians.

Copycat gangs

Avaddon’s addition of a dedicated data-leaking site comes after numerous other gangs adopted the tactic. The escalation tactic usually involves a name-and-shame of victims, data leak of samples of stolen data, and finally a dump or auction of data. At a certain point, the gang will give up. Some, including REvil, then auction stolen data to the highest bidder. Others will just dump it all online. Either step is meant to scare future victims into paying.

Data-leaking sites have become a fact of life, with more than a dozen gangs now running dedicated sites or even hosting leaks for rival gangs.