The ramifications of a Reddit breach which occurred back in February are now being felt, with the attackers threatening to leak the stolen data. The February attack, billed as a “sophisticated phishing campaign” by Reddit, involved an attempt to swipe credentials and two-factor authentication tokens.
One employee was tricked into handing over details, and then reported what had happened to Reddit. Its security team locked things down and began investigating.
The employee's credentials were reportedly used to gain access to "some internal docs, code, as well as some internal dashboards and business systems", which exposed "limited contact information" for company contacts and employees, and information about advertisers.
Reddit advised users that their passwords were safe, and so there was no need to alter login details. There were also “no signs” that the breach impacted “the parts of our stack that run Reddit and store the majority of our data, or any of your non-public data”. At the time, Reddit received praise for the clarity of the messaging. “This happened, that didn’t, your login is fine” is somewhat unusual in these situations and messaging is often confusing or even simply absent for far too long.
It seems we’re finally about to find out how on the money Reddit’s assessment of the situation was. Bleeping Computer reports that the Black Cat ransomware group is claiming responsibility for the attack. Worse, its threatening to drop roughly 80GB of data online after supposed attempts to claim a ransom of $4.5m were ignored.
Here’s what Black Cat—also known as ALPHV—has to say about this one:
…I am very happy to know that the public will be able to read all about the statistics they track about their users and all the interesting confidential data we took. Did you know they also silently censor users?
Bold claims indeed, but nobody will know for sure how much of the claims is true or simply bluster until and unless the files are leaked. Interestingly, Black Cat is also demanding that Reddit alters its controversial API pricing changes.
Bleeping Computer notes that nothing was encrypted in this attack; it appears that this was “just” about grabbing as much data as possible and using it to extort money from the victim. A double threat ransomware attack without the ransomware, if you will. Even so, this still presents a major headache for Reddit even without having to worry about encrypted devices.
At this point, nobody knows what exactly may leak when the data drop comes (if it ever does). There is no suggestion from the Black Cat group that passwords were grabbed, so that’s one plus point for Reddit users. As for the rest of it, this seems like a mess for the Reddit CEO and team to deal with.
Black Cat is definitely one of the more prominent ransomware players in recent times, with a string of high-impact and notable attacks. Lehigh Valley Health network in Pennsylvania was hit hard in February of this year, with an understandable furore over photos of breast cancer patients. Elsewhere, the dedicated leak site continues to play to its strengths as we can see with the current Reddit story. As you can see from our June Ransomware review, Black Cat is always close to the top of the pile where infections are concerned. Time may be running out for Reddit as far as the above breach goes, but with a little bit of pre-planning your organisation doesn’t have to meet the same fate.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.