Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data

Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 1

Not only problems due to a cyber attack and the theft of almost 650 GB of data which took place between the end of August and the first days of last September. CyberOptics Corporation (CyberOptics), a Minneapolis, Minnesota-based multinational company that develops and manufactures high-precision 3D optical sensing technology solutions, may face lawsuits in the coming months related to Nordson Corporation’s (Nordson) acquisition of its corporate capital.

Some law firms, Weiss LawHalper Sadeh, LLCBrodsky & Smith, LLCMonteverde & Associates PC, are investigating possible violations related to fiduciary duty and other violations of US federal and state laws. The investigations carried out by the law firms will serve to establish whether the price paid for each share ($ 54.00 in cash) should be considered satisfactory for CyberOptics shareholders.

Between the end of August and the beginning of September 2022, according to research carried out by SuspectFile, CyberOptics Corporation is hit by a cyber attack. A new ransomware group, SchoolBoysGang, manages to enter the IT systems of the American multinational after managing to exploit a server-side vulnerability thanks also to the poor protection of the network systems. This is one of many responses a gang member gave us via email

We used a popular vulnerability on their server at that time, their cybersecurity was at zero and we were very surprised by this.

SuspectFile was able to follow the negotiations between the person in charge of CyberOptics Corporation and a staff member of the SchoolBoysGang ransomware group from the very beginning, the chat started with a message sent by the negotiator of the American multinational

11 Oct – 09:04:00
Hello, how do we decrypt data?
After about an hour there was the first response from the gang
11 Oct – 09:54:15
Hello. We will check your finance and get back to your with our demand shortly. Be in touch plz.
In addition to the ransom price, the cybercriminals’ subsequent response indicates the “quality” of the exfiltrated data in their possession
11 Oct – 10:03:22
So, we have reviewed your finance and calculated the price for you. Therefore, decryption tool, permanent data deletion with deletion log as well as our recommendations on how you can improve and strengthen your system will cost you $1,900,000.
We have uploaded all sources (NextGen, Flex, WaferSense) and other Intellectual Property. Currently we have full sharepoint dump, all User Folders, all important data from NAS’s, plenty of NDA’s and much much more other. Will provide you with a full listing of taken data soon.
the next day the CyberOptics negotiator sends this message
12 Oct – 06:00:56
how you do full sharepoint dump its totally imposible
after about two hours of waiting the answer arrives
12 Oct – 07:51:15
* https://www.sendspace.com/file/[redacted]
Pass for archive: X*lo7[redacted]
We meant the most valuable information from the sharepoint, not full dump – it doesn’t make sense.
* Note: the file archive named “list” is no longer available for download. SuspectFile has a copy of the archive containing 2,802,397 lines of data
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 2
12 Oct – 07:51:17
You have one day to review the listing and get back to us with a decision.
12 Oct – 07:57:13
You can choose 2-4 files from the list and we will provide them as a proof. We will be able to decrypt one of your files for free also.
The negotiator takes his time and responds after a day
14 Oct – 15:53:38
We are in process of verifying the list. It’s very large.
We will be in touch with the files that we would like you to produce.
after a few days of silence the cybercriminals start to get impatient and give the negotiator the first ultimatum
17 Oct – 07:42:19
Hi! What stage are you currently at? We’d like to proceed further.
18 Oct – 08:36:21
Got you. We will start notifying your employees first.
18 Oct – 08:39:40
If you continue to be silent, it will not end well for you. Keep the dialogue otherwise we might think that you don’t want to cooperate and we will start looking for a buyer of your data, and the decryption keys will be deleted which will make the decryption process impossible forever. Think well about the consequences, we don’t want to cause you any trouble, but we really need the money and we will do anything for it, don’t even doubt.
The same day CyberOptics responds
18 Oct – 12:01:33
Sorry for the delay. These are the files we are requesting to provide as proof.
c:\cyberoptics\unzip\[redacted]\06 Project[redacted].xls
c:\cyberoptics\unzip\[redacted]\R&D[redacted].pdf
c:\cyberoptics\unzip\[redacted]\8001566_BUILD_[redacted].pdf
c:\cyberoptics\unzip\[redacted]\release_notes.htm
c:\cyberoptics\unzip\[redacted]\Grab_[redacted].pdf

The following day, the cybercriminals upload the 5 files requested by the victim to sendspace.com and set the day by which CyberOptics must give answers regarding the payment of the ransom

proof

19 Oct – 04:21:36
Your deadline is Friday, we need a specific answer about payment. I also remind you that you can drop 1 file for a test decryption.
On October 21 the gang writes
21 Oct – 02:51:16So today is Friday. Day x for our deal. We like you, so you can drop even 5 files of different extensions to make sure our decryptor works, use sendspace.com. Also a reminder that after payment we will help improve your cybersecurity, and we will give some sources to your admin to keep an eye on, so your company will never get into an incident like this again. [redacted] If not paid, some of your data will be leaked on the cybercrime forum, also we may have a closed auction in our plans.
Two days later, the negotiator uploads an archive (files.zip) of 4 files encrypted by the gang during the attack on CyberOptics IT systems to sendspace.com and makes a further request to the cybercriminals
23 Oct – 13:30:03
https://www.sendspace.com/file/[redacted]
23 Oct – 13:31:14
Can you send a video showing the decryption?
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 3

the gang answers

23 Oct – 14:30:24
Well, it’s possible of course. But why do you ask for the video instead of just submitting encrypted file samples? Anyways, not a problem. Just submit them and I will decrypt and make a video if needed.
The following day the URL sendspace.com is posted to download the video
24 Oct – 18:34:14
Download Page Link – https://www.sendspace.com/file/[redacted]
Delete File Link – https://www.sendspace.com/delete/[redacted]
SuspectFile played the video and captured two frames of the recording
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 4
Frame 1
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 5
Frame 2

At this point CyberOptics tries to extend the negotiation further in the hope of gaining precious time

26 Oct – 09:33:32
we need to make sure you are not sanctioned by the government before any payments are made
The answers of the gang
27 Oct – 10:34:24
Is it ‘yes, we’re willing to pay’ or ‘no, we refuse’? We truly understand that this incident isn’t easy to deal with and as you can see we’re here talking to you for more than 2 weeks. But our patience is not limitless.
Look. First of all, we’re not sanctioned of course – ask any recovery agency’s rep. Second, according to the law, you can’t pay us at all whether we’re sanctioned or not – make no sense. Third, if you don’t pay us, you will pay big penalties from GDPR, CISA violations, lawsuits and much much much more other – hundred percent.
Ok. Here is a short explanation regarding consequences that will take place if let CISA know about your data leak.: Cyber Incident Notification Act of 2021 was just introduced by the Senate Intelligence Committee.
All cybersecurity incidents and ransomware attacks must be reported to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of experiencing a breach or intrusion.
Failure to do so will result in steep fines as high as 0.5% of the firm’s prior year gross revenues—per day the violation continues.
Let’s do math with you right now. $99 Million X 0,5% X 16 days = $7,920,000 ALLREADY god damn it. Only for one legislative act violation. Keep that in mind when you again will be stalling. Time plays against you and only we here are who can really help you to minimize all possible risks.
Will be waiting for your decision till tomorrow afternoon, then once weekend is gone, we will make this chat public and will seek for buyers of your data. As for the decryption tool, it will be abolished once and forever.
27 Oct – 10:59:19
And always remember about your stockholders.

At one point in the negotiation the negotiator commissioned by CyberOptics asks the cybercriminal if he is willing to sign a Non-Disclosure Agreement (NDA).
It is not the (surreal) request linked to an agreement that has “disoriented” us, but what the negotiator writes about a cash prize linked to a “bug bounty” program.

A solution devised by CyberOptics to hide the payment of the ransom.

We recall that in one of the passages of the chat, the CyberOptics negotiator writes that his insurance was not willing to cover the ransom payment.

27 Oct – 12:12:49
I am not allowed to make decisions to pay on my own. These things must be approved by leadership and it takes time for them to discuss the risk versus reward. This is a business and everything is understood in terms of risk. For example, if we decide to pay, how likely will you send the decryption program and delete the files? You might decide to make more money by selling the information on the forums and making this dialogue public. This would be much faster if you signed an NDA and submitted this like a bug bounty. You could do this type of work legally if you ask permission first.
02 Nov – 15:05:23
There is a problem with insurance. They are refusing to pay. We are trying to find an alternative. Sorry for the delay.
The negotiation continues for other days where, on the one hand, the ransomware group threatens to publish and sell the exfiltrated data on the dark web, on the other, the negotiator who is only trying to buy time.
We recall that on August 8, on its website, Nordson had published an agreement for the acquisition of CyberOptics and that on November 3 it had announced the completion of the operation.
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 6
After further messages sent in the chat, CyberOptics wrote on November 15th
15 Nov – 09:38:54
Thank you for waiting as long as possible. I don’t know why the NDA is not approved yet. It is a simple solution and we can move on from this event. Please be aware that if you decide to leak the files, you will not be paid. It is much better to follow the original plan.
The gang’s response was not long in coming and shortly thereafter began sending a series of not very reassuring messages for the negotiator
15 Nov – 10:09:06
We have been starting to think that the only way to get paid is to leak your files in order to find buyers. It seems like you guys just trying to fool us. Anyway, deadline is set and everything depends on you. No agreement on Thursday morning – your data is leaking.
15 Nov – 11:21:08
We have decided to set a new deadline – tomorrow evening. You can tell us a couple more tales about the NDA, while we pack your data.
15 Nov – 14:09:14
I have been commissioned by my management to begin the process of publishing your data. Will start it right tomorrow.
The first frictions begin to arise between the cybercriminal and the negotiator. SchoolBoys Gang is no longer willing to wait and, after a month of fruitless negotiations, loses his temper. On November 17, he responded in this way to a post published the day before by the CyberOptics negotiator
16 Nov – 11:40:52
I have an idea. Find your own NDA template online, fill it out as best you can, and send it to me. I will try to get that approved.
17 Nov – 06:18:35
We have an idea. Please go to hell and shove your NDA deep into your director’s ass. We hope your competitors will appreciate your data
CyberOptics’ attempt to lengthen the negotiation times, in the hope that everything ends up “in a soap bubble”, gives results and for over three weeks SchoolBoysGang does not respond
21 Nov – 16:07:35
This is a business. You are acting unprofessional. Did I ever post something rude to you? Please treat each other with respect.
But on December 7, everything changes, to take over the negotiations for SchoolBoysGang are the pentesters, those who materially obtained access to the data on the servers of the American multinational
07 Dec – 10:27:08
Yes, you are right, our previous negotiator wasn`t acting as a true professional. As a result he was dismissed. Now you are dealing with pentesters, guys who got the initial access to your system. (say Hello) We always try to get things done in a timely manner & up to the end. Kindly asking you to have a look at our example package(containing your data) that would be spread amongst dark market sources in case our deal fails. Also, we will contact all your clients & partners that you have signed NDA with, guiding them on how to sue you in a court of law. We are ready to inflict maximum damage, but the same time we are still open to negotiate & finalize the price. The ball is on your side.
07 Dec – 10:30:10
https://mega.nz/folder/[redacted]
If we don’t come to an agreement, it will become public.

In the private chat, the URL of mega.nz is posted with over 5 GB of data relating to administrative and sensitive documents of CyberOptics and a much larger part, over 20 GB, on a dark web forum (BreachForum) with financial documents of the offices operating in Portland – U.S., China, Taiwan, Singapore, Malaysia, UK and of Laser Design Inc. (CyberOptics Corporation brand). It is precisely the 20 GB of data sent within the forum that publicly exposes the Minneapolis multinational.

Over 100 Non-Disclosure Agreements entered into with as many partners (American, Asian and European companies), documents classified as “Confidentiality Agreements”, administrative documents, various copies of passports, including that of the CEO and CFO of CyberOptics. And again: driving licenses of citizens residing in the US, Malaysia, China, India, some of these compliant with the originals, full names and residential addresses of some collaborators, an Excel file with account names and passwords for accessing the various services stipulated with various companies with which Laser Design Inc. has collaborative relationships:
Amazon, American Express (Minnesota), Apple Supplier Connect, Aramark Refreshment Services, Boston Scientific Co., C2FO, CenterPoint Energy, Dell, Experian, FEDEX, FindRFP, GoTo Meeting, Hewlett Packard, Minnesota Department of Revenue, PaymentWorks, Salesforce Inc. , SpaceClaim Co., UPS, Veem, Xcel Energy Inc. and many more.
In many cases, the same e-mail or password was used to log into different accounts.

Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 7

Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 8
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 9
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 10
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 11
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 12
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 13
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 14

On December 14th SchoolBoysGang, after the data theft became public knowledge, writes in the chat and claims to have informed some rival companies of the CyberOptics Corporation

Innersense USA
Challentech International Corporation Taiwan
KLA Corp california usa
visco.com
Perceptron Inc.
NDC Technologies Inc.

 14 Dec – 12:00:13
Today we are notifying following companies regarding your data breach:
innersense usa
Challentech International Corporation taiwan
KLA Corp california usa
viscom.com
perceptron.com
ndc.com
Also, we are going to invite them to participate in our private auction. Fortunately, you still have 24 hours to make us an offer. Additionaly, we have been contacted by independent journalist Marco A De Felice, who is aware of your incident & our negotiations, however, we have not posted any details yet (but just for now, ok?) We assume that these are recovery company`s games. We also like playing games, so it will be fun. And STILL we are open to negotiation process & if $ 1 900 000 is too high – make us a reasonable offer. Once you read this message a countdown begins & you have 24 hours remaining. After we share your details with all interested parties the damage would cost you a lot more than $ 2 000 000 because we know that Innersense bigger than WaferSense. Do You also want your customers to be aware of this fact? Do You want your competitors to receive your patents? We don`t think so.
To tell the truth, a note regarding your data breach has been spread amongst 200 peoples only. In fact, this is not even a DUMP, just a small note which can be easily destroyed. It contains your accountancy only. The most interesting part isn`t available yet.

In my first email sent to the SchoolBoysGang on December 13th, I write that I am an IT security researcher and blogger at SuspectFile.com and that I was able to follow the chat negotiations from the beginning, but until then I had no made the news public so as not to cause damage to CyberOptics.

The situation changes when the gang of cybercriminals makes everything public, deciding to open a thread on BreachForums allowing anyone to freely download over 20 GB of sensitive CyberOptics data (4795 folders and 36990 files).

In the email we ask the gang questions about the cyber attack on the Minneapolis company’s IT infrastructure.

For some questions we did not get answers

SchoolBoysGang (Gang): […] I will answer the questions that interest me.

SuspectFile (SF): – I was able to read the willingness of your group’s staff in complying with the negotiator’s requests, such as when they requested a video explaining the various steps for file decryption.
Was this availability due to CyberOptics being the first victim you opened negotiations with?

Gang: [no reply]

SF: – From the documents sent both in chat and in BF it emerges that the most recent data shows the date of September 2022. Is it correct if we say that the intrusion into the victim’s servers took place in August 2022?
Gang: [no reply]
SF: – What was the access that allowed you all this phishing, VPN , RDP?

Gang: None of the above listed

SF: – The initial ransom demand was $1.9M, an amount they deemed impossible to pay but never made a counter offer. At what amount would you have been willing to close the negotiation?
Gang: It all depends on the ability of our partners to bargain.
SF: – CyberOptics has asked that you sign an NDA and then turn it into a bug bounty payment. I don’t think it’s entirely legal for them to hide something like this, but other than that. Who prevented you from signing with the name of another group, has already happened in the past with another group.
Gang: [no reply]
SF: – We believe that the 21 GB and almost 6 GB posted on BF and in the chat is not all the material exfiltrated during the cyber attack, but that you haven’t published some of it yet.
If that were the case as we think, are there any patent or PHI documents in your hands?
Gang: The leak of several gigabytes to the forum is just a warning shot before the slaughter of the entire top management. We are interested in profit and still hope for a successful deal, which is why the leak is so light. Patents and PHI are available – look at full_listing.rar in MEGA.
SF: – In the chat your collaborator wrote that you have participated in various affiliate programs, I doubt if I ask you which ones you would answer, but I’ll try anyway…
What affiliate programs has your group partnered with?
Gang: previously, we were engaged in increasing privileges to order and, in general, pentesting without using extortionate software. After the release of the lockbit, we decided to fix the program and test it for the sake of interest. We are aware of the dubious reputation of CyberOptics and their deception of investors, so we are not ashamed to extort money from them.
SF: – After the LockBit code and chats were released, many groups used this group’s code now called LockBit 3.0 or Black.
You mention in the chat that you have used this ransomware variant, have you used other types of ransomware in the past? If yes, can you tell me which ones?
Gang: [no reply]
SF: – SchoolBoys Gang is a relatively young band, when did you get started?
Gang: [no reply]
SF: – In the chat the victim refers to Karakurt, can you explain better if this group was one to which you offered the material stolen from CyberOptics?
Gang: No, but is it necessary?
SF: – Do you have a precise target on which you refer when hitting the victims? Are hospitals or other medical entities and education part of your target?
Gang: It’s simple – our victims are men with thick wallets and with a dubious reputation. Of course we are not attacking hospitals and educational institutions, who do you take us for?
SF: – Do you have a blog where you publicize the names of victims who don’t agree to negotiate, or do you only use dark markets?
Gang: [no reply]
In subsequent emails we asked for more details on the case, but SchoolBoysGang wanted us to answer one of his questions first
… can you indirectly influence the continuation of negotiations with them? Then we will answer your questions.
this is our answer
You ask me if we have a data recovery team or maybe I’m a “negotiator” myself, or maybe if I expect/hope for a reward in exchange for the information I manage to gather.
– None of that. I am an independent IT security researcher and do not “harvest” information from groups for money.
You ask me if we, I can (indirectly) influence negotiations with your or other victims.
– No, because I’m not a negotiator.
Cybercriminals decide to answer our questions
SF: – When asked how you entered the victim’s systems, you excluded those I indicated, but you don’t refer to the one used. So I ask you to be more specific.
– I was able to view about 26GB of date, but what is the total existing data in your hands?
Gang: We used a popular vulnerability on their server at that time, their cybersecurity was at zero and we were very surprised by this.
About 650GB and 2,500,000 files, and if we don’t end the negotiations on a positive note soon, then we will leak ABSOLUTELY everything we have.
and then they add

It has long been clear that they do not want to have anything to do with us, well, we will have to set an example to other companies, what will happen if they try to deceive us and think that several hundred thousand dollars are not worth it to preserve their reputation and the data of their customers/partners/ shareholders/employees.

We agree that we acted disrespectfully and insulted them, but this is our negotiator’s problem, not mine. […] we will be happy to read your news about the collapse of CyberOptics 🙂

The date of December 15 is a significant date for this case, a date that often occurs … maybe it’s just coincidences?

Since December 15 SchoolBoysGang stops all communication with SuspectFile, despite sending three more emails (December 18 – 19 – 30).
Their last message in BreachForums shows the date of December 15th, the last log-in in the forum is December 19th, while the .onion blog with the chat is no longer reachable since the first days of January 2023. Suspectfile has preserved an original copy of the entire chat.

Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 15

Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 16

What are the reasons that led the gang to disappear into thin air we do not know, but we can hypothesize some
– CyberOptics may have paid the ransom (this is perhaps the reason why some of the data is still present on mega.nz today, their removal could have raised suspicions)
– The data may have been sold to some competitor company
– The publication on BreachForums of part of the stolen data could have exposed the group of cybercriminals (perhaps) seriously undermining their security, this could be the reason that prompted SchoolBoysGang to “disappear into thin air”.

Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 17

This case once again highlights some aspects related to the lack of attention that small and large companies place on cyber security. On too many occasions we have found that the security of IT systems are not considered business priorities.

A disturbing aspect is certainly linked to the ease with which we see groups of cybercriminals being born and often, fortunately, “dying” in a short time. In this case thanks also to the publication, last September, of the LockBit 3.0 source code
After the release of the code, many existing groups such as Bl00Dy Ransomware Gang, for example, have customized their own version of ransomware. Many others were educated thanks to the ease with which anyone with basic computer knowledge is able to “build” their own version of the ransomware, just as SchoolBoysGang has confirmed to us.

The probable young age and inexperience of the members of this gang meant that the CyberOptics negotiator was able to carry on the negotiation for over two months, keeping the news hidden. We recall that in those weeks the Nordson Corporation was preparing to finalize the last agreements for the acquisition of CyberOptcis.

Due to the mistakes made by gangi throughout the negotiation, CyberOptics gained precious time and only on December 15, 2022 did it send the only two notifications that we have been able to find so far to the Attorney General’s Offices of the state of Massachusetts and of the Attorney General of the state of Montana.

In both notifications the correct cause of the computer attack that allowed the theft of data from the servers is never mentioned, just as the name of the ransomware group is never mentioned despite CyberOptics being aware of it.

On October 23, the CyberOptics negotiator writes in the chat

if you do a search for “SchoolBoys Ransomware Gang” it is the only result. I wanted to see if you have a good reputation to recover the files after payment.

Although CyberOptics is aware of the theft of data, many of which are sensitive, and of the extortion carried out by the gang, CyberOptics writes to the Attorneys General of the two US states defining the incident as a (simple) data security event.

CyberOptics Corporation (“CyberOptics”) is writing to inform you of a recent data security event that may have impacted certain information related to you. […]

On December 19 SuspectFile wrote to CyberOptics asking for a statement on the case before the publication of this article. To date we have not received any responses from the American multinational.