A British Columbia-based real estate agency is the latest victim of a ransomware cyberattack – but the circumstances of the attack raise more questions than answers.
Last week, the Conti ransomware group listed the ReMax Kelowna as one of its victims on its website. To prove it had instigated the attack, the group also listed the names of 15 files it allegedly copied from ReMax Kelowna.
ReMax Kelowna owner and managing director Jerry Redman revealed that the cyberattack had occurred at around the same time as the agency’s IT staff were overseeing a software update. Redman also confirmed with IT World Canada in an interview that while the ransomware IT staff found was not launched, some company files were copied by the attackers.
“We were on it within minutes of knowing it started, and that’s why [the attackers] don’t have much,” Redman explained.
Although an investigation into the attack is still ongoing, Redman believes that the malicious actors responsible for the breach only managed to copy what the director calls “non-personal company data.” This data includes “graphic design stuff that the company does for people.”
Redman said that he was not aware that any files were stolen during the attack until a reporter had informed him later that week.
“We had the attack shut down so fast we didn’t believe they got anything. We got no ransomware request from [attackers], our system never got locked down from them, but they obviously got a little bit of data.”
Although the cyberattack against the real estate agency was confirmed to be ransomware in nature, how the attack was launched remains a mystery.
“The only thing we can think of at this point is we were doing a software upgrade from a major company and it started to happen about the exact same time,” Redman said when asked if he knew how the cyberattack began.
Redman also said that he was unsure if the software upgrade itself was infected with the malware.
“I don’t want to speculate, but that’s literally what we were doing when it happened, and that’s why we were able to shut it down so quick because my IT guys were here.”
Ransomware attacks are typically carried out through phishing and/or spear phishing, exploiting remote access software, infected pirated software, drive-by downloads of infected websites, and infected removable media. But ransomware attacks through third party software or supply chains – as Redman suspects what happened – are rare, but not unheard of.
When asked for a statement on the cyberattack, Emsisoft threat researcher Brett Callow told IT World Canada that supply chain attacks can give attackers an initial foothold on the affected IT system, but added that he has never heard of such an attack being used to quickly exfiltrate data prior to deploying the actual ransomware.
