Exclusive: Snow Brand Australia confirms SafePay ransomware attack
The Australian arm of a Japanese dairy company confirms a new ransomware operation was hacked, with limited employee data compromised.
Australian dairy supplier Snow Brand Australia has confirmed that it was the victim of a recent ransomware attack by the SafePay ransomware gang.
Snow Brand was listed on the gang’s darknet leak site over the past week, alongside 23 other victims. The gang appears to be a new operation, likely based in Russia.
The SafePay leak site is very minimal, it simply lists each victim, their income and where it was published, leaks about stolen data and file lists.
In the case of Snow Brand, the gang released an archived data set of almost 24 gigabytes. According to the list of files, much of it consists of financial data such as invoices, purchase orders and details of the company’s activities with various retail partners, such as Romeo’s Retail Group.
Some employee data is also included, such as medical certificates, superannuation details and health insurance claims.
Snow Brand Australia confirmed the incident.
“Snow Brand recently experienced a cyber incident where unusual activity was detected on our network,” a Snow Brand spokesperson told Cyber Daily.
“We acted immediately to secure our network and launch an investigation to understand what happened, including any impact on information.”
The Australian Cyber Security Center and the Office of the Australian Information Commissioner have been informed of the incident and the company is in communication with those affected by the data breach.
“We further confirm that our systems are secure and that Snow Brand remains fully operational,” the spokesperson said.
SafePay is a new ransomware operation, with Snow Brand being one of its first victims. According to a study by cybersecurity firm Huntress, SafePay only started working in the last two months. As part of its ransomware attacks, the gang first checks systems whose default language uses a form of Cyrillic characters, at which point the attack is abandoned, suggesting that the gang is based somewhere in Europe. the East, perhaps in Russia.
Huntress tracked two specific SafePay incidents, and in both cases, “the threat actor activity was found to originate from a VPN gateway or portal, as all observed IP addresses assigned to workstations of the malicious actor were within the internal range.”
“The threat actor was able to use valid credentials to access client endpoints and was not observed enabling RDP, creating new user accounts, or creating any other persistence,” Huntress researchers said in a Nov. 14 blog post.