The M+R Spedag Group describes itself as a family-run transport and logistics company with its headquarters in Switzerland.Image: M+R Spedag Group
The internationally active logistics group has fallen victim to a criminal group that the FBI and the Secret Service have already warned about.
What do the San Francisco 49ers and the Swiss logistics group M+R Spedag Group have in common?
They have both been hacked by «BlackByte».
The full extent of the cyber attack cannot be estimated at this time. A countdown is emblazoned on the criminal gang's darkly colored "leak site" that showed 15 days left on Wednesday evening.
How many gigabytes were stolen is not known. If the ultimatum displayed on the leak site expires, there is a risk of full disclosure.screenshot: watson
BlackByte belongs to the group of unscrupulous ransomware gangs that penetrate the IT systems of Western companies, steal valuable data unnoticed and finally start the encryption with their own malware.
M + R Spedag Group AG is an international forwarding and logistics group. According to its own information, it has 2,000 employees and 82 branches.
The company, headquartered in Muttenz BL, has confirmed the hacker attack to watson.
The Swiss IT news portal inside-it.ch first reported on the incident on Wednesday.
What does the company concerned say?
Bernadette Jourdan, Head of PR and Communication, said on Wednesday that customers and partners had been informed "since last weekend". "We consider the damage potential to be low."
A common consequence of such ransomware attacks is that the criminal attackers try to trick their victim into paying a hefty sum of money for ransom. To do this, they put those responsible under pressure by threatening to publish the captured data on the dark web.
On the so-called BlackByte leak site, which can be reached via the anonymization network TOR, there is a corresponding link, which in turn leads to a file hoster specializing in anonymous downloads. This involves around 8 gigabytes of company documents from the M+R Spedag Group.
watson was able to see the leaked data. It is a large number of older and relatively new files, including internal statements, but also offers and other documents relating to numerous business customers.
How did the attack take place?
On Thursday, April 21, at 4:09 p.m., those responsible at the M + R Spedag Group became aware of the attack. Only “the organizational unit in Switzerland” was affected, it says. And the next morning they were “fully operational again”.
It is not known how the hackers penetrated the foreign network. The spokeswoman explains that a corresponding security gap has been closed and the end devices have been exchanged within 48 hours. "Additional measures were taken together with Swisscom."
In the past, BlackByte had exploited several unpatched vulnerabilities in Microsoft's Exchange Server software to penetrate other people's computers.
As the CEO, Boris Lukic, told inside-it.ch, no ransom demand has been received so far. It is quite possible that this will change before the ultimatum expires.
Who is behind «BlackByte»?
The traces lead to Russia .
It is not known who is behind BlackByte. One thing is certain: It is a ransomware-as-a-service group that makes its attack tools and infrastructure available to third parties for a fee and has been targeting companies worldwide since July 2021.
The actual malware used to encrypt the victim's data was reprogrammed in 2021 in Google's Go programming language, which makes defensive measures more difficult for security researchers.
Revealing detail: When the Windows malware is launched, it first checks the victim's system language. With the following language settings, it ends without performing file encryption:
An American IT security expert told Techcrunch in February that all indications were that BlackByte was based in Russia. However, criminals around the world could access the gang's infrastructure – of course for "profit sharing".
The San Francisco 49ers, a professional American football team, was hacked in February just before the Super Bowl final. BlackByte subsequently published only a few megabytes of stolen data.
Days earlier, the FBI and the Secret Service (USSS) issued a joint statement warning of attacks on critical infrastructure operators.
Ransomware – Encryption Trojans Attack
Ransomware – Encryption Trojans Attack
Former Facebook employee reveals secrets
This might also interest you:
According to preliminary investigations by the EU Commission, the US company Apple is violating European competition regulations. The company is accused of restricting access to a standard technology for contactless payments with mobile devices.