Broken piano

Ransomware groups claim responsibility for double-attack on Yamaha

Music giant Yamaha’s Canadian division has experienced a compromise on two different fronts, both related to ransomware. In an attack which has worrying echoes of the recent Estée Lauder attack, multiple attackers have claimed to breach the organisation.

Yamaha Canada Music had the following to say in a statement:

Yamaha Canada Music Ltd. recently encountered a cyberattack that led to unauthorized access and data theft. In response, we swiftly implemented measures to contain the attack and collaborated with external specialists and our IT team to prevent significant damage or malware infiltration into our network.

Yamaha Canada has been notifying affected individuals, and we are offering credit monitoring services to those at risk of potential harm. Additionally, we have taken decisive actions to reinforce our network defenses and ensure enhanced security measures moving forward.

Note that, as with the Estée Lauder incident(s), no specific ransomware group is cited as having been responsible for the attack in question. Despite this, we have two groups claiming to have been involved in data exfiltration.

This time around, the groups claiming responsibility are Black Byte and Akira ransomware. The BlackByte claim was noticed by researcher Dominic Alvieri on June 14, with a follow up post to confirm Akira’s claim July 21.

The Record article notes that several “double-hitter” attacks have been made public recently, and the question of whether or not this is by accident or design is raised once more. One proposed theory is that it could be down to affiliates working on behalf of several groups. Another is that groups are simply working together to reap the rewards, and perhaps make the attacks even more visible to the public.

Whatever the reason, it just means more work and more potential headaches for the organisations being targeted.

Akira has appeared in a few of our Ransomware Reviews, beginning in May of this year, and is typically found in the top half of our most active gang chart. From our post:

Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing. When executed, the ransomware deletes Windows Shadow Volume Copies, encrypts files with specific extensions, and appends the .akira extension to the encrypted files.

Like most ransomware gangs these days, the Akira gang steals corporate data before encrypting files for the purposes of double-extortion. So far, the leaked info published on their leak site—which looks retro and lets you navigate with typed commands—ranges from 5.9 GB to a whopping 259 GB.

Akira demands ransoms from $200,000 to millions of dollars, and it seems they are willing to lower ransom demands for companies that only want to prevent the leaking of stolen data without needing a decryptor.

BlackByte, a ransomware as a service (RaaS) tool, is another frequent appearance in our top ransomware gang lists. BlackByte has scored some notable attacks, with one of the biggest being the compromise of the San Francisco 49ers shortly before the 2022 Super Bowl.

As with all of these attacks, it remains to be seen whether any data will be leaked or sold on. For now, organisations large and small will have to try and weather the storm of simultaneous single, double, or even triple threat attacks.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.