Spinneys looking into claims that ransomware group is leaking its data

Retailer says Dubai Police’s e-crime department is investigating last month's hacking attack on internal server

Spinneys continues to work with Dubai Police after efforts to compromise its network. Photo: Antonie Robertson / The National
Powered by automated translation

Supermarket chain Spinneys said it is looking into claims on Twitter that a ransomware group had published data taken from its internal server.

A series of tweets by ransomware monitoring account Ransom Watcher on Tuesday said that the Clop ransomware group published Spinneys data.

“Spinneys is aware of unverified emails being sent out from unidentifiable email addresses stating that a ransomware group may have leaked data hacked from our internal server on July 16,” the retailer said in a statement to The National.

“We continue to work closely with the e-crime department at Dubai Police to investigate the matter and keep our customers up-to-date.”

As more businesses adopt hybrid work models and undertake a rapid digital transformation to cope with coronavirus challenges, they are also more exposed to cyber threats.

Ransomware is malware that is designed to deny users or organisations access to their online data and files stored in computers or servers. All data is encrypted, and criminals demand payment for the decryption key.

More than 80 per cent of UAE organisations said they have the staff required to effectively manage a ransomware cyber attack, matching the global average, a June survey by Boston-based security company Cybereason found.

About 67 per cent of UAE respondents also said they have a plan in place to counter any potential ransomware attempt, compared with 72 per cent globally, the study revealed.

The main goal of Clop ransomware is to encrypt all files in an enterprise and demand a payment to receive a decryptor to re-access the affected files, according to a blog post by computer security software company McAfee.

Clop ransomware emerged in 2019, when it became a prevalent threat to organisations and businesses, according to cloud cyber security service company Mimecast. Clop ransomware also threatens to leak confidential information if no ransom is paid, it said.

To date, it is estimated that Clop ransomware has extorted more than $500 million from organisations, including multinational energy companies and at least two prominent US universities, according to Mimecast.

“Clop ransomware typically goes after assets like data backups, vouchers, email lists, financial records or other confidential information. Once Clop gains access to the data, the cybercriminals often leak portions of it to prove that they have access and threaten to leak more if the ransom is not paid,” it said.

The criminals behind Clop often set their sights on organisations with large budgets and demand high ransoms, some as much as $20m, according to Mimecast.

“Just like many other groups involved in human-operated ransomware attacks, Clop leverages the so-called double-extortion technique,” Oleg Skulkin, head of digital forensics and incident response team at cyber security company Group-IB, said.

“The Clop operators not only deploy cryptolockers, but also exfiltrate victims’ sensitive data. If the victim refuses to pay, the data is posted on a Dedicated Leak Site [DLS]. These sites may be available either via the dark web or even regular web.”

The Clop ransomware gang became the seventh-most active in the world with 107 victims uploaded on DLS between the first quarter of 2021 and the first quarter of 2022, according to the Ransomware Uncovered 2021/2022 report.

“We have observed their attacks in the UAE, Singapore, Netherlands, the US, Germany, Canada, the UK, India, France, Japan and other countries,” Mr Skulkin said.

“In June 2021, six Clop ransomware affiliates involved in cash-out services were arrested in Kyiv, Ukraine.”

Spinneys earlier said that some customer data stored for online delivery details was exposed to hackers during a security breach on July 16.

However, the retailer said no personal banking information of customers was compromised in the hacker attack as it does not store banking details on its internal servers.

“As has previously been confirmed, hackers accessed an internal server that contained customer data, including names, email addresses, mobile numbers, delivery addresses and previous order details,” Spinneys said.

“We urge our customers to remain vigilant against cyber criminals and deal only with people they trust. We are committed to handling our customers’ personal information responsibly and diligently at all times, and we deeply regret that this incident has occurred.”

Updated: August 03, 2022, 11:07 AM