On September 2nd, the U.S. branch of Great Star Industrial Co. disbursed a ransom of 1 million dollars to a ransomware group

On September 2nd, the U.S. branch of Great Star Industrial Co. disbursed a ransom of 1 million dollars to a ransomware group 1

We are in the early days of last September when the American division of the Chinese multinational Hangzhou Great Star Industrial Co., Ltd (Great Star), in order to avoid the publication of administrative and company secrets documents, decided to negotiate with the Akira ransomware group and pay a ransom of 1 million dollars in a BTC wallet.

The negotiation took place within a chat initiated by the ransomware group and began in the last days of August, concluding on September 2nd when the American headquarters in Huntersville, North Carolina, decided to yield to Akira’s extortion.

Akira held in its possession three databases stolen during the attack on American servers, which occurred through credentials that the ransomware group had acquired on the dark web. At least, that’s what the negotiator of the group claimed during the discussions in the chat. The negotiator Akira explained in the chat that the attack’s methods occurred through the Kerberos authentication process used by Microsoft Active Directory (Kerberoasting).

Akira […]Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password.[…]

The databases belonged to three major subsidiaries of the Chinese parent company Hangzhou Great Star Industrial Co., Ltd.

  • Arrow Fastener Co., LLC headquartered in Saddle Brook, New Jersey
  • Prime-Line Products headquartered in Redlands, California
  • Shop-Vac USA, LLC headquartered in Williamsport, Pennsylvania

Thousands of administrative documents, budgets, sales invoices, salary information, company secrets, and dozens of Non-Disclosure Agreements (NDAs) between SK Tools USA, LLC (another company within the Chinese group Hangzhou Great Star Industrial Co., Ltd.) and various American companies based in Alabama, Florida, Virginia, Illinois, New Jersey, California, Massachusetts […]. Additionally, over 100 Distributor Agreements with as many companies located in the U.S., Marketing Agreements, Sales Representative Agreements, patents, and clear documentation for Sales Tax in 28 American states were compromised during the cyber attack.

On September 2nd, the U.S. branch of Great Star Industrial Co. disbursed a ransom of 1 million dollars to a ransomware group 2
Screenshot and redaction by SuspectFile.com

In addition, we also found some Chinese citizens’ passports and a U.S. citizen’s passport among the compromised data.

D:\DATA\primeline.net\shopvac.com\artproofs\[EDITED]\TRANSFER FOLDER\[EDITED]_Passport-1.tif

D:\DATA\primeline.net\shopvac.com\Homes_admin\[EDITED]\Visa Documents\Send Ahead to Passport Plus Visas\Passport – [EDITED].pdf

D:\DATA\primeline.net\arrow\arrowfastener\HZGS\IDS\Passport of [EDITED].pdf

D:\DATA\primeline.net\arrow\arrowfastener\HZGS\IDS\Passport of [EDITED].pdf

All this documentation was uploaded by the cybercriminal group within the chat during the negotiation with the representative from the American division of Great Star.

The negotiation began with Akira outlining five points, explaining the guarantees that the group would commit to providing to the victim. However, if SuspectFile is reporting on this case, at least point 4 seems to have been disregarded by Akira.

Akira […]We offer:

1) full decryption assistance;

2) evidence of data removal;

3) security report on vulnerabilities we found;

4) guarantees not to publish or sell your data;

5) guarantees not to attack you in the future. Let me know whether you’re interested in a whole deal or in parts. This will affect the final price.

We do not know whether, after the ransom payment, Great Star’s data has been sold or will be sold in the future. What is certain, however, is that the American division paid to obtain the silence of the cybercriminals, and this did not happen because chats are hardly ever truly hidden. A victim should always take this into serious consideration.

The negotiator of Great Star Industrial Co. writes

Great Star […]promise to not publish or sell our data[…]

In the chat, we were able to read several interesting passages. The ransom amount requested by Akira was initially set at 2 million dollars in cryptocurrency, but it later increased to 2.4 million dollars. This escalation occurred because the ransomware group had in its possession the data of two other companies connected to Hangzhou Great Star Industrial Co., Ltd.

Akira This is the list of files of ShopVac company. We are working on transporting files of the rest companies and will provide you with the lists for them soon. We’re willing to set a $2,000,000 price for all the services we offer.

Given the fact that we hold data of two more companies, we’ve reconsidered the price for the full deal – $2,400,000. […] In case of quick payment we can make a discount.

After a series of messages exchanged between Akira and the victim, where Great Star requests the decryption of 18 files as proof of the decryption tool’s proper functionality, the ransomware group begins to lose patience. They express a desire to expedite the process and warn the negotiator that without an agreement, they would publicly release his name. However, before reaching any formal agreement, the ransomware group uploads the requested 18 decrypted files into the chat.

On September 2nd, the U.S. branch of Great Star Industrial Co. disbursed a ransom of 1 million dollars to a ransomware group 3
Screenshot and redaction by SuspectFile.com

Akira  […]but bear in mind that we are posting you in our blog tomorrow if there is no payment decision from you.

Great Star responds that they have approval for the payment of 800,000 dollars.

Great Star […]We have approval to pay you $800k tomorrow for decryptors, proof of data deletion, and security audit report. Leaking our name will make our ability to pay much harder. Please accept so we can put this behind us.

However, Akira deems the offer to be too low.

Akira We appreciate this offer but all we can do is to give you 20% discount in such circumstances.

Great Star is willing to raise its offer to 1,400,000 dollars.

Great Star I have very good news. I was talking to the upper management and they are willing to accept $1,4M today for all the outlined options. On Monday we will have to return to our previous demand. Do we have a deal now?

For Akira, closing the deal at 1,400,000 dollars is certainly a bargain. However, they warn the negotiator that the ransom must be paid within the same day; otherwise, the amount would increase to 2,000,000 dollars.

Akira Based on all of the above, our offer of $1.4 million when paid today still stands, but we will not accept anything below $2 million on Monday. If you refuse and break the deal, we will simply publish your stuff and forget about you.

Here’s what the Great Star replies

Great Star Thank you so much for working with us. In good faith we are going to reveal to you that we only have $1,000,000 to work with. We can pay you all of that today. To get any more will be very hard and take many more days. Please accept $1 million and we will get that to you today

Akira  Ok, the leadership has approved that number. Here is a BTC wallet ID for payment: bc1[EDITED] How soon are you able to make a transfer?

The victim responds that they are arranging to transfer the money to a broker, and the funds will be sent within two hours

Great Star To confirm we pay you $1,000,000, and you will deliver whole network decryptors for linux, and windows, promise to not publish or sell our data, provide proof of deletion, and a security audit report?

The cybercriminal group confirms the demands of the Great Star.

Shortly afterward, 0.0001 BTC is sent as a test transfer

Great Star We just sent a test transaction. Please verify and we will send the rest

Test transaction confirmed on blockchain. Please verify

Hello?

We will be back in east coast usa morning to send you the rest

Akira confirms the receipt of the test transfer of 0.0001 BTC. On September 2nd, the victim’s negotiator sends the rest of the ransom amount to the cybercriminals’ wallet

Akira Hello. We have received 0.0001 BTC.

Great Star Thank you. Are you ready to receive the rest?

sending the rest

Coin sent. Txid: 3[EDITED]

Akira We have received, thank you. Please wait for the decryptor first.

We will provide everything within 24 hours. Thank you for your patience.

At this point, the decryption file is sent, along with instructions for its proper usage

In the image below is the detail of the $1,000,000 transaction; currently, Akira’s BTC wallet appears to be empty

On September 2nd, the U.S. branch of Great Star Industrial Co. disbursed a ransom of 1 million dollars to a ransomware group 4
Screenshot and redaction by SuspectFile.com

The episode raises crucial questions regarding the trust that a company can place in promises of silence from ransomware groups. Despite Great Star having paid the demanded ransom, Akira’s failure to keep the promise of not disclosing the data underscores the complexity of negotiations in this ruthless digital realm.

In a context where cybersecurity is paramount, the Great Star case urges all companies to seriously consider implementing robust preventive measures and adopting a cyber security strategy that goes beyond merely responding to attacks. It is a call for a proactive approach, wherein cybersecurity becomes an unquestionable business priority.

Ultimately, Great Star Industrial Co., Ltd. has experienced the consequences of a ransomware attack firsthand. Its story should serve as a warning and prompt companies to strengthen their digital defenses, implement effective preventive measures, and carefully weigh the implications of negotiations with ransomware groups.