No agreement on initial $500,000 ransom price between Levare Intl (Levare) negotiator and Medusa ransomware group. Today, the ransomware group informs us, all the data exfiltrated during the cyber attack last July from the IT infrastructures of the multinational based in Dubai – UAE, will be made public on its blog.
Levare is one of the world’s leading companies in the design, construction and sale of electric submersible pumps (ESP), horizontal pumping systems (HPS) and permanent magnet motors (PMM) mainly for the oil and gas sector.
The Levare servers targeted by Medusa had been those of the American Borets office in Houston – TX, over 1TB of exfiltrated company data which included administrative documents, industrial projects, copies of passports of US and Canadian citizens, SSNs and a copy of a port of arms of a Canadian citizen.
We had said that during the negotiations, Levare had decided to suddenly interrupt all contact with the ransomware group despite the prerequisites for completing the negotiation, at least this is what Medusa had told us.
This behavior by Levare had greatly annoyed Medusa, in fact in the following days the ransomware group had decided to hit the multinational’s servers through Distributed Denial of Service (DDoS) attacks. For 5 days, from August 1 to 5, the Levare website was unreachable, a strategy Medusa often uses to inflict further damage by putting additional pressure on her victims.
In recent days there has been a new attempt to resume negotiations with the group of cybercriminals, $ 200,000 was the counteroffer of the negotiator of the Levare to close the negotiations and to obtain the decryption key of the documents and the cancellation of all data exfiltrated by Medusa, a counter offer that the ransomware group, we’ve learned, has flatly rejected.
Before the publication of our first article, we had sent the multinational an e-mail asking for a comment on the matter, informing them that SuspectFile was in possession of a video showing the enormous quantity of documents exfiltrated from the servers of the American office in Houston, we had also asked if Levare had already notified its employees and customers of the loss of sensitive data. Even today, no comment on the story is present on the website of the multinational based in Dubai.
Today, before this article was published, SuspectFile sent a second email to Levare again asking for comment on the matter.
SuspectFile.com will update the article in case of new items.
We just learned that Levare Intl. has notified former employees of Borets U.S. Inc or Levare U.S. Inc, to the Attorney General of the state of Montana, the data breach and the consequent loss of personal data defined by the writer as a generic “incident” and not, as what actually happened, a ransomware-type IT attack.
The notification states that last August 2 an “unknown group”, instead we know that the ransomware group identified itself as “Medusa”, entered the computer systems by exfiltrating sensitive documents of these former employees.
The notification continues with the list of data which, according to Levare, would have been stolen from citizens residing in the state of Montana
first and last name,
your social security number,
However, the notification does not mention, in any passage, the certain loss of copies of identity documents, passports or driving licenses of citizens residing in other American states (New Mexico, Texas i.e.) or Canada, a fact that we consider serious.
These copies of documents are still freely visible by logging on to the cybercriminals’ Tor website, and we also know that cybercriminals provide further proof of the documents in their possession during a negotiation chat. It is difficult to think that during the negotiations that took place in the private chat, the upbeat negotiator was not aware of all this.