Valencia Ransomware explodes on the scene, claims California city, fashion giant, more as victims

A California city, a Spanish fashion giant, an Indian paper manufacturer, and two pharmaceutical companies are the alleged victims of what looks like a new ransomware gang that started leaking stolen info this week.

Brand new cybercrime crew Valencia Ransomware emerged earlier this month, and right off the bat, the miscreants listed five major entities on their Tor-hidden “wall of shame” website, claiming to have stolen data from each of them. 

The alleged victims are the city of Pleasanton, and the crims claim to have stolen 304GB of data from this California municipality; Bangladeshi drugs maker Globe Pharmaceuticals Limited (200MB data); Indian paper manufacturer Satia Industries (7.1GB); Malaysian pharma firm Duopharma Biotech Berhad (25.7GB); and Spanish fashion retailer Tendam, with an unspecified amount of data allegedly stolen. 

None of the five organizations responded to The Register‘s inquiries.

On Wednesday, Valencia began leaking on the dark web sensitive info that allegedly belongs to the city of Pleasanton. 

The Register has not verified the purloined data, but according to infosec outfit HackManac, the files available for download on the criminals’ dark web site include personally identifiable information — names, full addresses, dates of birth, annd driver license numbers — as well as credit card numbers, and other personal and company financial data, plus other sensitive files, credentials, employee resumes and confidential company documents.

Stolen files claimed to be from Globe Pharmaceuticals are also up for grabs, and include dermatology product details and invoices, along with a ton of employee information: Payment and salary info, insurance data, names and phone numbers, bank accounts, and private keys, among other sensitive files.

The extortionists’ listed victims “indicate a significant operational capability in executing ransomware attacks,” Technisanct founder and CEO Nandakishore Harikumar told The Register.

Harikumar said his firm has verified the data samples, and the claims about the five victims “appear to be credible.”

It’s also worth noting that one of the five, Tendam, was previously targeted by the Medusa Ransomware. None of Valencia’s other claimed victims have been previously breached (that we know of.)

According to Harikumar, there’s also a suspected link between Valencia and a criminal who goes by the handle LoadingQ and is active on the EVIL hacker forum. Both have the same contact details and Tox chat app ID, which “suggests that LoadingQ might be an alias or associated with Valencia,” Harikumar said.

LoadingQ has also advertised access to a European healthcare company on EVIL, and listed the sale price of domain admin access plus “2.5K computers AD environment” at $40,000.

“This suggests that LoadingQ, and potentially Valencia, may have access to valuable and sensitive networks,” Harikumar noted. 

While it’s still too early to definitively link Valencia to other underground criminal operations, one thing’s for sure: Given the state of the multi-trillion-dollar cybercrime economy, ransomware groups, both existing and new, aren’t going away anytime soon.

In July, security shop Zscaler revealed that a Fortune 50 company had paid a $75 million ransom, and this week Bloomberg reported that this largest-ever ransom payment went to the Dark Angels gang after they hit drug distributor Cencora in February.

Plus, in April, UnitedHealth CEO Andrew Witty confirmed to US senators that his company had paid $22 million to extortionists in an attempt to keep the data stolen from subsidiary Change Healthcare out of the public domain.

There’s money to be made in digital extortion, and unless there’s some collective solution to the problem — a total ban on ransom payments is one suggestion that has been thrown about — the scumbags aren’t going to stop with these financially motivated crimes. ®

READ MORE HERE