Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Rite Aid Says Ransomware Group Stole 2.2M Customers' Data
Rise in RansomHub Attacks Tied to Recruitment of Affiliates Deserting Other GroupsAmerican pharmacy chain giant Rite Aid is warning 2.2 million customers that attackers obtained their personal information.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The Philadelphia-based company said in a breach notification that on June 6, an attacker "impersonated a company employee to compromise their business credentials and gain access to certain business systems." The company said it detected the intrusion "within 12 hours and immediately launched an investigation to terminate the unauthorized access, remediate affected systems and ascertain if any customer data was impacted."
Rite Aid said that by June 17, it confirmed that the attacker stole information about customers' purchases or attempted purchases between June 6, 2017, and July 30, 2018. Exposed information included the customer's name, address, birthdate, and driver's license number or a number from another form of government-issued identification.
The company said the attacker stole no Social Security numbers, financial details or patient information.
Rite Aid is the country's third-largest pharmacy chain, with 1,700 stores across 16 states and 45,000 employees, of which 6,000 are pharmacists. The company filed for Chapter 11 bankruptcy last October. In June, a judge approved the company's request to exit bankruptcy via a restructuring plan, Bloomberg reported.
In the wake of the breach, Rite Aid said it's "implementing additional security measures to prevent potentially similar attacks in the future," as well as notifying customers and offering victims prepaid identity theft monitoring services.
The breach first came to light after ransomware group RansomHub recently released a sample of allegedly stolen Rite Aid data, as Bleeping Computer first reported.
RansomHub's data leak site features a ransom demand, next to a typical countdown timer, demanding payment before the timer expires on July 26, after which the group has threatened to release the stolen data.
The criminals said they stole about 10 gigabytes of customer information, including names, addresses and Rite Aid rewards card numbers. The group claimed it had been negotiating with Rite Aid before the company "stopped communications."
Security experts have traced an increasing number of attacks to RansomHub, which is notable since the group first surfaced in February. Researchers at Check Point said the group does appear to be "a reincarnation of Knight ransomware," meaning it was not started from scratch.
"RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems including Windows, macOS, Linux and particularly VMware ESXi environments," Check Point said. "This malware is known for employing sophisticated encryption methods."
Comparing Q2 of this year to the previous quarter, cybersecurity firm ReliaQuest reported seeing a 243% increase in the number of victims listed on RansomHub's data leak site, thanks in part to affiliates of former groups appearing to have moved to the operation. Such counts are a measure of any given group's activity, although they never tell the full story: Ransomware groups often lie and only list a subset of nonpaying customers, rather than victims who did pay a ransom (see: Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them).
Some researchers have questioned whether core members of ransomware-as-a-service operation Alphv, aka BlackCat, might also be involved with RansomHub, given that BlackCat went quiet on March 5, when its operators appeared to run an exit scam instead of sharing the proceeds of a ransom paid by Change Healthcare with the responsible affiliate.
Security experts said one draw for fresh RansomHub affiliates appears to be the group's unique approach to handling ransom payments.
"Unlike traditional models where the ransom payments are controlled by the main group, RansomHub's affiliates have control over their own wallets and receive ransom payments directly from their victims," said threat intelligence firm Cybersixgill. "They then pay a 10% fee to the core group. This approach is likely intended to address concerns of 'exit scams' or fraudulent activities that have been associated with other ransomware groups."
Despite RansomHub's recent debut - or reboot, the group has already listed a number of high-profile victims, including the Florida Department of Health, Christie's auction house and UnitedHealth Group's Change Healthcare unit.
Current affiliates of RansomHub appear to include the attacker who hit Change Healthcare under BlackCat's banner. After UnitedHealth Group paid a ransom worth $22 million to BlackCat, the operators apparently shut down the operation rather than sharing it with their Western affiliate. The affiliate appears to have taken their copy of the 6 terabytes of stolen data to a rival, to continue extorting the victim.
Whether or not UHG paid a second ransom to RansomHub remains an open question. Speculation that the company did indeed pay intensified after RansomHub removed its leak site listing for Change Healthcare, several days after it first appeared.