Retailer Fat Face Pays $2 Million Ransom to Conti GangNews Follows 'Private and Confidential' Breach Notification Fat Face Sent to Victims
Left unsaid in Fat Face's "strictly private and confidential" data breach notification to affected customers this week was any indication that the U.K.-based clothing and accessory retailer had paid a $2 million ransom to unlock its systems (see: British Clothing Retailer Fat Face Discloses Data Breach).
But as Computer Weekly reported on Friday, based on details of the ransom-payment negotiation obtained by its French sister publication, LeMagIT, Fat Face's data breach traced to it having been hit with a phishing attack on Jan. 10 by the Conti ransomware gang.
Responding to a 213 bitcoin - worth $8 million - opening ransom demand, Fat Face's negotiator reportedly argued that due to the COVID-19 pandemic, its revenue was down 75%. Ultimately, Conti agreed to a $2 million payment, saying that it didn't want to bankrupt the retailer, Computer Weekly reports.
The attackers triggered their crypto-locking malware one week after gaining access to Fat Face's systems, evading its security defenses, identifying its "Veeam backup servers and Nimble storage," and exfiltrating 200GB of data, according to Computer Weekly.
Luckily for Fat Face, the firm had a cyber insurance policy with Beazley Furlonge Ltd. that included coverage for ransom payouts. Or at least that's what the Conti gang said in its negotiations with Fat Face after the retailer said that the $8 million initial ransom demand was too high.
“Our demands are lower than your insurance coverage," Conti's negotiator shot back, according to screengrabs published by Computer Weekly. "I have no idea how this can break you when you are insured for 7.5 million pounds. I suppose it's time to contact your insurance company."
Fat Face Confirms Payoff
From a crisis communications standpoint, Fat Face arguably fumbled its data breach notification earlier this week by failing to disclose that it paid Conti ransomware attackers to decrypt its systems and promise to not dump stolen customer/employee data.
The fashion retailer confirmed Friday to Information Security Media Group that it got hit by ransomware, but it did not explicitly say that it paid extortionists in return for the promise of a decryption tool to restore access to its crypto-locked systems. It did not, however, dispute the details in Computer Weekly's report.
"Fat Face was unfortunately subject to a ransomware attack which caused significant damage to our infrastructure," a Fat Face spokesman told ISMG on Friday. "Thanks to a monumental effort from the Fat Face team, alongside external security and legal experts, Fat Face was able to quickly contain the incident, restore business operations and then undertake the process of reviewing and categorizing the data involved - a significant task which has taken considerable time."
Earlier this week, Fat Face confirmed that it had suffered a breach in January that compromised personal information for customers and employees. It declined to say exactly how many were affected.
Affected Fat Face customers began to receive emailed breach notifications early this week, as ISMG first reported. These notifications warned them that attackers had accessed their name, address and email address, as well as the last four digits of their payment card and its expiration date. Fat Face has also offered 12 months prepaid for an identity theft monitoring service for affected customers.
But the subject line of the notification email - " strictly private and confidential - notice of security incident" - led some customers to ask if the company was trying to cover up the breach.
"Clearly trying to make people stay quiet," one Fat Face customer who shared the email with ISMG said (see: Fat Face's 'Strictly Private' Data Breach Notification).
Others said that the breach notification had failed to make clear what risks they might now face. "I'm so confused having read their email, is this data breach something serious that we should take immediate action on, or is it a minor breach?" another customer commented. "Especially unclear given they waited two months to mention it!"
ICO 'Making Inquiries'
Fat Face noted earlier this week, when it began to notify customers via email about the breach, that it has notified the U.K. Information Commissioner's Office, which enforces the General Data Protection Regulation, about the breach, as well as Action Fraud - which works with England's police forces - and the National Cyber Security Center, which handles national incident response.
The ICO on Tuesday told ISMG that it is "making inquiries" into the Fat Face breach.
Whereas Fat Face earlier this week declined to share specifics of how exactly it had been hacked, now the retailer says it is declining to release any further breach details owing to an ongoing investigation. "Details of the attack and steps taken are part of a criminal investigation so at this stage we are unable to comment any further," it says.
Conti: 2020 Debut
Conti first debuted in May 2020, and later in the year, it was tied to numerous attacks, largely against targets in North America and Western Europe (see: How Conti Ransomware Works).
Along with Maze, Conti last year was tied to the greatest number of ransomware attacks against healthcare organizations, says cybersecurity firm CrowdStrike (see: Mark of Ransomware's Success: $370 Million in 2020 Profits).
Conti has already been tied to multiple healthcare hits this year as well (see: Patient Files Dumped on Darknet Site After Hacking Incidents).
Ransomware incident response firm Coveware says that the average final payment to Conti is about $740,000. Based on the cases it has investigated, it says Conti has always delivered a working decryptor after victims pay. But Computer Weekly reports that after the Fat Face attack, many of the company's systems were left deleted or unrecoverable. That includes storage area network data, electronic point of sale systems, SQL servers and Citrix hosts. But Conti claimed to not have had anything to do with that, according to the news report.
Many ransomware watchers suspect that Conti sprang from the Ryuk ransomware gang.
"Since its first appearance, Conti was assumed to be the successor to Ryuk with one crucial difference in that the group behind Conti threatens to leak exfiltrated data to strong-arm victims into paying the ransom," according to security firm Sophos.
In a technical teardown of the ransomware published last month, Sophos researchers note that Conti's developer has gone to great lengths to create an "elusive" ransomware payload that makes it hard to detect and tough for investigators to recover.
"Among the behavior observed by responders, the ransomware immediately begins a process of encrypting files while, at the same time, sequentially attempting to connect to other computers on the same network subnet, in order to spread to nearby machines, using the SMB port," Sophos reports.
A typical Conti attack also includes time spent exfiltrating potentially sensitive data. "The attackers spend some time on the target network and exfiltrate sensitive, proprietary information to the cloud - in recent attacks, the threat actors have used the cloud storage provider Mega," Sophos says.
Data Leak Site
Conti is one of a number of ransomware-wielding gangs that maintains a data leak site. For victims that do not pay a ransom within a specified time frame, gangs will often first name victims in an attempt to shame them into paying the ransom and having their name excised from the site. If victims still don't pay, gangs typically leak stolen data - if they did steal any - in tranches before dumping everything as a warning to future victims that they do follow through.
A Conti ransom note published previously by Sophos notes: "Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on (our) news website if you do not respond. So it will be better for both sides if you contact us as soon as possible."
According to Israeli threat intelligence firm Kela, the Conti operation has listed more than 300 victims on its data-leaking site, including industrial IoT chipmaker Advantech, industrial and technology business holding company ThyssenKrupp, and the Scottish Environmental Protection Agency. SEPA's systems were crypto-locked last Christmas Eve. The government agency refused to pay the ransom and, on Jan. 13, Conti began leaking stolen data.
Fat Face apparently never appeared on Conti's data leak site, which suggests that the organization may have promptly launched discussions with the ransomware gang.