Stormous Claims Credit for Ransomware Attack on Coca-Cola
Whether a ransomware attack at beverage giant Coca-Cola in Brazil by the ransomware group Stormous is one in a cascade of attacks by Russian-affiliated threat actors against western organizations or whether it’s simply emblematic of the ransomware plague currently sweeping the world remains to be seen.
“Time will tell if we are seeing a wave of Russian-backed threat actors compromising big organizations such as Coca-Cola,” said Anurag Gurtu, CPO at StrikeReady.
“Known for its website defacement and information theft, the Stormous ransomware gang represents itself as a group of Arabic-speaking hackers,” said Gurtu.
But the group, active since 2021, “recently announced its support for the Russian government and its intention to attack Ukrainian government institutions,” Gurtu pointed out.
The gang said it had nicked 161GB of data, and noted on its leak site that it had “hacked some of the company’s servers and passed a large amount of data inside them without their knowledge, and we want to sell it to someone else.”
Judging by a CISOAdvisor notice, the information stolen appears to have included commercial accounts and financial data as well as the more standard spoils like email addresses and passwords. The breach is in keeping with Stormous’ past modus operandi.
“This ransomware provides the actor with the ability to upload custom payloads to the affected server via open source resources such as Pastebin and remote upload,” said Gurtu. “Since the actor can modify encryption and decryption keys as well as copy ransom messages in the wild the actor’s capabilities, which include dropping malware, encryption and sending a ransom note, can be hard to identify. In addition, the actor’s ransomware is PHP-based, so it is easy to modify on the fly.”
This time, though, the group is peddling the data it pilfered for a pittance, reportedly selling 13 Coca-Cola files for just $64,396.67.
The Gathering Stormous
Stormous emerged in force around the time Russia invaded Ukraine and has claimed to have been behind some impressive attacks, including one in which 200GB of data was stolen from Epic Games. In that case, the group said it had “found a vulnerability in the company’s internal network.”
In other posts, it referred to the Ukraine Ministry of Foreign Affairs’ network as “fragile,” and said “their various data has been stolen and distributed,” leading some to believe that future attacks may be launched in support of Russia.
But, again, it is too early to tell. After all, “ransomware has seen quite a resurgence this year,” said Erfan Shadabi, cybersecurity expert at comforte AG. “Threat actors are taking their ability to use social engineering and other forms of trickery to gain access to corporate systems, launch debilitating ransomware software and watch the target squirm. All industries are currently at risk from attacks.”
And as SOCRadar noted, “threat intelligence experts have yet to agree on whether the Stormous group makes these claims for a political agenda or forward-looking financial gain.”
There is also debate over whether the group is a scam, engaged in what SOCRadar called “scavenger operations,” where threat actors “attack” companies “whose data was already leaked by another threat actor.”
Regardless of the group’s origin or intent, the Coca-Cola breach pointed out the difficulty companies have in spurning ransomware attacks and the need to bolster defenses.
“Enterprises, big or small, need to prepare for this eventuality with robust recovery capabilities—tools and processes—combined with proactive data-centric protection,” said Shadabi. “The former restores the IT and data environment to a pre-breach state, while the latter ensures that threat actors can’t exfiltrate sensitive data and use that compromised information as further leverage.”
That way, “even if hackers get their hands on data, they can’t blackmail organizations with the threat of imminent release of that data. And that’s what ransomware is all about—blackmail,” said Shadabi.
