Security firm Rubrik has distanced itself from allegations that it has been affected by an alleged ransomware attack from Cl0p.
The ransomware gang added the company to its deep web victim blog this week, but declined to confirm if it was aware of a ransomware incident.
Cl0p updated its post on Wednesday, publishing a range of files allegedly belonging to the company.
These included various spreadsheets which, according to published screenshots seen by IT Pro, appeared to include Rubrik employees’ full names and email addresses.
Other files also appear to show the details of various businesses from around the world, including business names, addresses, industries, revenue figures, and the total number of employees.
One single-tab spreadsheet appears to include additional company details as well as Microsoft contacts. The terminology used throughout suggests that the data relates to Rubrik’s co-selling work with Microsoft.
A number of other files have also been published.
The company told IT Pro: “based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorised access did not include any data we secure on behalf of our customers via any Rubrik products”.
Rubrik’s explanation of the incident
Rubrik published a blog post on Tuesday detailing an incident which saw the unauthorised access of its data.
It said that it was one of “more than 100 organisations” across the world to be affected by the exploitation of a zero-day vulnerability in the GoAnywhere Managed File Transfer platform.
“We detected unauthorised access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability,” said Michael Mestrovich, CISO at Rubrik.
“The current investigation has determined there was no lateral movement to other environments. Rubrik took the involved non-production environment offline and leveraged our own security systems and solutions to quickly contain the threat and help restore our test environment.”
Mestrovich went on to detail that the nature of the data that was stolen related to partner and customer company names, business contact information, and purchase orders from Rubrik distributors.
He confirmed that the third-party security form working with Rubrik concluded that no sensitive personal data was stolen during the breach.
“As a cyber security company, the security of customer data we maintain is our highest priority,” Mestrovich added.
“If we learn additional, relevant information we will update this post. We sincerely regret any concern this may cause you, and as always, we appreciate your continued partnership and look forward to our ongoing work together.”
Analysis of the Rubrik data theft
It’s not unheard of for ransomware groups to steal data and avoid deploying a locker - the malicious payload that blocks a victim from accessing their files.
Given the rise - and resultant success- of the double extortion ransomware model in recent years, some groups have opted for a simple extortion-only approach when it comes to attacks.
This means they will breach a company’s systems, steal data, and hold the data to ransom only, leaving the company with full access to its systems.
RELATED RESOURCE
A notable example of this was the LAPSU$ group which rose to prominence in early 2022. Originally thought to be a rival ransomware operation, hacks on large companies like Nvidia and Samsung revealed that they adopted an extortion-only model.
It appears Rubrik’s incident is one of these, uncharacteristic of the Cl0p group which is known for deploying lockers in its attacks.
Organisations that are accused of suffering ransomware attacks while making no mention of ‘ransomware’ in their explanations often raise questions about why they decide not to use the terminology.
In this case, Rubrik made no mention of ‘ransomware’ in any of its communications, either to the public or directly to the media.
It’s not uncommon for victims to distance themselves from the term ‘ransomware’ to avoid the reputational harm that comes with such attacks.
It remains unclear whether ransomware was involved in the Rubrik incident or not. The company has neither confirmed nor denied the presence of ransomware in its responses to the public and to IT Pro privately.
It would be uncommon for the Cl0p group to not deploy a locker in an attack, but not entirely impossible either.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
