Two ransomware gangs have separately claimed they attacked and stole data from freight factoring provider eCapital, raising the question of whether the firm got hacked twice.
The answer isn’t so clear.
An eCapital spokesperson initially said the company had “recently sustained a sophisticated cybersecurity incident” after FreightWaves inquired about an attack announced by the Lorenz group on the dark web in late July.
“Due to our pre-existing security measures, we were equipped with sufficient back-ups, allowing us to recover all impacted systems,” the spokesperson wrote in an email.
However, when asked about an attack claimed in June by the Conti ransomware gang, the spokesperson declined to say if there were two separate incidents.
“We have informed our employees and customers,” the spokesperson said. “The investigation is ongoing and we are not able to share additional detail at this time.”
eCapital is a major player in freight factoring, which allows carriers, owner-operators, and brokers to sell invoices at a discount in exchange for being paid quickly. The company issued over $4 billion in factoring payments in 2020, CEO Marius Silvasan said in an interview with FreightWaves Editor-at-Large John Kingston for the Drilling Deep podcast.
Factoring can be a vital source of operational cash flow for small fleets and owner-operators. But it also involves large amounts of sensitive financial information of customers as well as shippers. eCapital said it is investigating whether any data was compromised. So far neither ransomware gang has publicly leaked anything that would point to a significant data breach.
Multiple gangs, but maybe just one attack
Ransomware attacks occur when hackers encrypt victims’ data, typically with the hope of disrupting operations in the case of business. They offer a key to unlock that data in exchange for payment.
Conti and Lorenz are among a group of ransomware gangs that also extort companies by threatening to leak publicly or sell stolen data.
The groups also operate what is known as a ransomware-as-a-service model where affiliated hackers use the gangs’ malware and extortion apparatus in attacks.
The existence of the two claims could stem from a single attack or from two different attacks, said Brett Callow, a threat analyst with cybersecurity software firm Emsisoft.
“It’s not at all unusual for affiliates to cooperate with multiple gangs – and, in some cases, to even use more than one type of ransomware in the same attack – which can make it difficult to establish whether incidents are connected,” Callow wrote in an email.
One possibility, Callow noted, is that Lorenz could have simply been provided with data taken during a single attack.
But he also pointed to the possibility that a single attack that wasn’t properly remedied could have also set the stage for a second one.
“It could be the case that there were indeed two separate attacks, perhaps because a company failed to close the backdoors that an affiliate had created during the first attack,” Callow wrote.
Ransomware claim mysteriously vanishes
The public clues left by the ransomware gang themselves also haven’t shed much light on what happened.
Conti posted 25 files to its site in what is known as a proof leak, aimed to demonstrate to victims that they are prepared to leak stolen data. Lorenz posted multiple archives of over four gigabytes in size, claiming to be internal data as well as emails. Those archives were password-protected, making their contents impossible to verify.
Lorenz typically releases passwords to those archives over time, which it did with data stolen from Canada Post electronic data interchange provider Commport Communications. But the ransomware gang removed its post about eCapital in late August, without explanation, adding another layer of mystery.
Ransomware gangs typically remove leaks when victims pay them or start negotiations. But they also sometimes just disappear for no reason at all. eCapital would not say whether it made a ransom payment.
Conti — whose post and data leak remains online — did not respond to questions about eCapital. FreightWaves was unable to reach Lorenz for comment.