The Ragnar Locker ransomware gang have published download links for more than 700GB of archived data stolen from Taiwanese memory and storage chip maker ADATA.
A set of 13 archives, allegedly containing sensitive ADATA files, have been publicly available at a cloud-based storage service, at least for some time.
Large ADATA file archives
On Saturday, the ransomware actor published on their leak site the download links to a new set of ADATA corporate documents, warning interested parties that the links would not survive for long.
Ragnar Locker’s premonition proved true as MEGA storage service, where the gang chose to host the illegally obtained data, reacted and closed the threat actor’s account, denying access to any files they had shared publicly.
Two of the leaked archives are quite large, weighing over 100GB, but several of them that could have been easily downloaded are less than 1.1GB large.
Per the file metadata published by the threat actor, the largest archive is close to 300GB and its name gives no clue about what it might contain. Another large one is 117GB in size and its name is just as nondescript as in the case of the first one (Archive#2).
Judging by the names of the archives, Ragnar Locker likely stole from ADATA documents containing financial information, non-disclosure agreements, among other type of details.
It is unclear how long the download links remained active and chances are that at least a few parties were able to get it before MEGA cloud-based service took closed the ransomware actor's account.
While download statistics for Ragnar Locker's MEGA account remain undisclosed, a representative of the storage service told BleepingComputer that they believed that the content was not widely shared.
MEGA's action to take down the account was quick and came after receiving an anonymous report on June 21 (New Zealand Standard Time). Only four minutes were necessary for the company to determine that the account had infringed MEGA's terms of service (paragraph 15) by storing and sharing stolen files.
"MEGA has zero tolerance for any infringing or illegal material, and acts swiftly and effectively on accounts that violate our terms and conditions," - MEGA spokesperson
The representative added that the company "cooperates fully with authorities" in investigations and takes action to prevent illegal activity.
The ransomware attack on ADATA happened on May 23rd, 2021, forcing them to take systems offline, the company told BleepingComputer. As the Ragnar Locker leak clearly shows, ADATA did not pay the ransom and restored the affected systems on its own.
The ransomware actor claims stealing 1.5TB of sensitive files before deploying the encryption routine, saying that they took their time in the process because of the poor network defenses.
“So then, as usual, we did offer to cooperate to fix the vulnerabilities and to restore their system and of course, avoid any publication regarding this issue, however, they didn't value much their own private information, as well as partners/clients/employees/customers information” - Ragnar Locker
The recently leaked batch of archives is the second one that Ragnar Locker ransomware publishes for ADATA. The previous one was posted earlier this month and includes four small 7-zip archives (less than 250MB together) that can still be downloaded.
Update [June 23]: Article updated with information from MEGA storage service.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now