Rubrik confirms data breach but evades Cl0p ransomware allegations

Security firm Rubrik has distanced itself from allegations that it has been affected by an alleged ransomware attack from Cl0p.

The ransomware gang added the company to its deep web victim blog this week, but declined to confirm if it was aware of a ransomware incident.

Cl0p updated its post on Wednesday, publishing a range of files allegedly belonging to the company.

These included various spreadsheets which, according to published screenshots seen by IT Pro, appeared to include Rubrik employees’ full names and email addresses.

Other files also appear to show the details of various businesses from around the world, including business names, addresses, industries, revenue figures, and the total number of employees.

One single-tab spreadsheet appears to include additional company details as well as Microsoft contacts. The terminology used throughout suggests that the data relates to Rubrik’s co-selling work with Microsoft.

A number of other files have also been published.

The company told IT Pro: “based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorised access did not include any data we secure on behalf of our customers via any Rubrik products”.

Rubrik’s explanation of the incident

Rubrik published a blog post on Tuesday detailing an incident which saw the unauthorised access of its data.

It said that it was one of “more than 100 organisations” across the world to be affected by the exploitation of a zero-day vulnerability in the GoAnywhere Managed File Transfer platform.

“We detected unauthorised access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability,” said Michael Mestrovich, CISO at Rubrik.

“The current investigation has determined there was no lateral movement to other environments. Rubrik took the involved non-production environment offline and leveraged our own security systems and solutions to quickly contain the threat and help restore our test environment.”

Mestrovich went on to detail that the nature of the data that was stolen related to partner and customer company names, business contact information, and purchase orders from Rubrik distributors.

He confirmed that the third-party security form working with Rubrik concluded that no sensitive personal data was stolen during the breach.

“As a cyber security company, the security of customer data we maintain is our highest priority,” Mestrovich added.

“If we learn additional, relevant information we will update this post. We sincerely regret any concern this may cause you, and as always, we appreciate your continued partnership and look forward to our ongoing work together.”

Analysis of the Rubrik data theft

It’s not unheard of for ransomware groups to steal data and avoid deploying a locker - the malicious payload that blocks a victim from accessing their files.

Given the rise - and resultant success- of the double extortion ransomware model in recent years, some groups have opted for a simple extortion-only approach when it comes to attacks.

This means they will breach a company’s systems, steal data, and hold the data to ransom only, leaving the company with full access to its systems.

A notable example of this was the LAPSU$ group which rose to prominence in early 2022. Originally thought to be a rival ransomware operation, hacks on large companies like Nvidia and Samsung revealed that they adopted an extortion-only model.

It appears Rubrik’s incident is one of these, uncharacteristic of the Cl0p group which is known for deploying lockers in its attacks.

Organisations that are accused of suffering ransomware attacks while making no mention of ‘ransomware’ in their explanations often raise questions about why they decide not to use the terminology.

In this case, Rubrik made no mention of ‘ransomware’ in any of its communications, either to the public or directly to the media.

It’s not uncommon for victims to distance themselves from the term ‘ransomware’ to avoid the reputational harm that comes with such attacks.

It remains unclear whether ransomware was involved in the Rubrik incident or not. The company has neither confirmed nor denied the presence of ransomware in its responses to the public and to IT Pro privately.

It would be uncommon for the Cl0p group to not deploy a locker in an attack, but not entirely impossible either.