Over the weekend, a new ransomware group called Ransomed.vc claimed it compromised Sony. The original listing, which has since been replaced, listed a date of September 28, suggesting that if there was no resolution or payment by then, data would be leaked or sold. In an updated listing with a date of September 26, they revised their listing to write:
“We have successfully compromissed all of sony systems. We wont ransom them! we will sell the data. due to sony not wanting to pay. DATA IS FOR SALE,” (sic) they proclaimed in an updated listing on their leak site.
“All of Sony systems,” though? The proof they offered does not suggest they got all systems, as CyberSecurityConnect reported:
…there appear to be screenshots of an internal log-in page, an internal PowerPoint presentation outlining test bench details, and a number of Java files.
Ransomed.vc has also posted a file tree of the entire leak, which appears to have less than 6,000 files – seemingly small for “all of Sony systems”. Included here are “build log files”, a wide range of Java resources, and HTML files.
The original listing by ransomed.vc demanded a price of $2,500,000.00 from Sony to delete the data, and had a “Pay” link under the listing. The revised listing indicates that Sony wouldn’t pay them and that they are selling the data. The “Pay” link was replaced with a “Buy” link.
For its part, Sony issued a statement saying, “We are currently investigating the situation, and we have no further comment at this time.”
Ransomed.vc is a new group in the ransomware ecosystem, but they have already exceeded LockBit3.0 in the number of victims listed in a short time-period. But if their claims continue to exaggerate what they have acquired from victims, they may have trouble being believed.
According to vx-underground, there was no encryption involved in this incident:
tl;dr Threat Actors did not deploy ransomware, no corporate data was stolen, services not impacted. Data was exfiltrated from Jenkins, SVN, SonarQube, and Creator Cloud Development. They’re extorting Sony
Update 1: A new user showed up on BreachForums to write, “You journalists believe the ransomware crew for lies. Far too gullible, you should be ashamed. RansomedVCs are scammers who are just trying to scam you and chase influence. Enjoy the leak.”
And with that, “MajorNelson” leaked what they described as:
A lot of credentials for internal systems
SonarQube
Creators Cloud
Sony’s certificates
A device emulator for generating licenses
qasop security
Incident response policies
and more.
Bleeping Computer attempted to compare the leaked data to the sample provided by ransomed.vc. They reported, “BleepingComptuer further observed the archive posted by MajorNelson had all of the files that were present in RansomedVC’s small sample, but definitive attribution remains a challenge.”