Update November 24, 2021 at 6:00 pm
From the website of the Everest ransomware group, news emerges regarding the fate of the data stolen from the SIAE.
Everest, after trying to sell the stolen material by changing its price several times, yesterday made a singular decision: to sell the entire block of data (about 60 GB) at the price of $ 150,000 and donate the entire amount to a benficial foundation. We believe we have never read such a thing before.
It happened in the past to have read instead statements made by some groups, which claimed to have donated small sums of money to nonprofit organizations or foundations related to medical research, but the news given yesterday by Everest displaces a bit all.
Everest also declares, and this is the real news, that the name of the beneficiary can be given both by the buyer and by SIAE itself. The decision by Everest not to want to influence the choice of the name, we think was taken to avoid speculation of any kind.
… The data will be transferred to the one who makes a donation to the official charitable foundation. Whether the company or someone else will do it doesn’t matter. The offer is relevant only for this data. I do not give comments, I consider only suggestions
Donation amount from 150k $
Meanwhile, the investigations by the Data Protection Authority, to understand whether or not there have been negligence on the part of the SIAE, continue. In a reply e-mail, Everest had told us that access to the SIAE intranet took place several months before the publication of the news then given by the same group on its website.
In the same reply e-mail he also reported to us the very bad, disconcerting conditions regarding data protection implemented by those who managed the SIAE networks.
I had access for half a year, I accidentally found that they store all their documents this way. This shocked me a little, I often meet with the carelessness of companies, but this is the first time. I had full access to edit the intranet
We will continue to follow the story by updating it in case of new details
UPDATE October 22, 2021 AT 7:15 pm
Did Everest really send emails and text messages to artists asking for a ransom of 10 thousand euros in bitcoin?
For several hours, several online newspapers have been reporting the news of a change by the Everest ransomware group regarding the management of data stolen from the SIAE. Indeed, there has been a change of pace by cybercriminals, but some things published in the newspapers are not entirely correct.
Let’s go in order.
Everest two days ago had published on his blog, within the TOR networks, a first post where he communicated the cyber attack to the SIAE. The post described the type of documents exfiltrated, and more time was given to the SIAE to decide whether or not to pay the ransom.
In the following hours Gaetano Blandini, SIAE General Manager, gave interviews where he stated that the ransom would never be paid.
Today, the ransomware group has decided to change its strategy: Everest will put all data for sale at a price of $ 500,000. In the new message published on his blog you can also read the offer that cybercriminals make indirectly to artists
Representatives of celebrities, you can contact me and redeem all the data. One-hand sale, after the sale the data is deleted.
So far the chronicle of the facts is correct.
Then there is the news that has been circulating for hours on the various newspapers according to which Everest is sending emails and text messages to the various artists affected by the data breach asking for 10 thousand euros in bitcoin to redeem their data, in the sms there is also a number real estate of bitcoin wallets right now with no transactions.
We wanted to contact Everest directly to understand if the facts are really those told by the various newspapers, we also asked for confirmation on the type of data exfiltrated during the cyber attack and if there were really also credit cards and IBAN codes.
This was the answer they gave us
No, I’m not ransom money from artist. 2gb were posted for free.
Buyer not found
Credit cards and iban are present
We can confirm that the 2 GB of documents are currently online and downloadable by anyone, especially think of other groups of cybercriminals who will be able to resell them or use them in the future for phishing campaigns or possible identity theft.
Further confirmation that we can give is that among the 2 GB of documents published in the TOR network there are passports, identity cards, health cards, telephone numbers, emails, personal addresses, IBAN codes of many Italian artists of entertainment, music, of the theater, many of which are famous not only in Italy.
What will they say once they see their data published? What will they say when some ill-intentioned uses their data?
SuspectFile considers the behavior of the SIAE to be correct and unexceptionable. Paying the ransom would have fueled cybercrime. However, we believe that the SIAE has enormous responsibilities regarding the bad management and protection of sensitive data of all the people who will be directly or indirectly involved, in spite of themselves.
We hope that the police bodies will be able to clarify the matter as soon as possible, but we also hope for an immediate intervention by the Privacy Guarantor.
Anyone wishing to deny / clarify what is reported in this update or the article published yesterday, can do so by contacting us on our email or through one of the social channels.
The article will be updated in case of new details.
UPDATE October 21, 2021 AT 12:15 pm
As the hours go by, new and worrying details emerge on the data breach that involved the SIAE (Italian Society of Authors and Publishers).
While we await a comment from the SIAE, last night in a first email the Everest ransomware group let us know that it had nothing to add to what we had reported in our article, except the confirmation of being in possession of a large number of documents
Hello, I can’t add anything, everything is listed on the blog. A large number of documents and personal data have been lost
This morning we contacted Everest again asking for further details on the cyber attack on the SIAE infrastructures, we were interested in understanding what methods they had used to enter the IT systems. We also asked for more information about the data exfiltrated from the company’s servers.
Everest replied that their stay in the computer systems lasted 6 months, therefore a considerable time that certainly allowed them to have full access to all the documentation present in the databases and to modify the entire intranet, such as the same spokesman confirmed to us.
In his email Everest also wanted to let us know that discovery about the methods of data storage used by the SIAE occurred by chance, he also wanted to underline the neglect of data protection by the company. In the past he had often seen badly managed data from the companies he had hit, but the data management used by SIAE literally shocked him.
I had access for half a year, I accidentally found that they store all their documents this way. This shocked me a little, I often meet with the carelessness of companies, but this is the first time. I had full access to edit the intranet
From the research carried out by SuspectFile, further details emerge also regarding the people affected by the data theft, among these there are also illustrious names of Italian pop music. Just as there are other types of documents in the hands of cybercriminals “numero.EstensioneDOR.anno.pdf”,“numero.Limitazione.diritti.anno.pdf”, “numero.Variazione.Recapiti.anno.pdf”, “numero.Modulo.Estensione.anno.pdf”, “numero.Aggiornamentoanagrafica.anno.pdf” , “numero.EstensioneLirica.anno.pdf” documents often contain paper / electronic identity cards or passports.
SuspectFile will neither publish nor share these documents with anyone, which can instead be sent, if requested, to the police bodies that are investigating this case.
Anyone wishing to deny / clarify what is reported in this update or the article published yesterday, can do so by contacting us on our email or through one of the social channels.
The article will be updated in case of new details.
ATTACK ON THE IT SYSTEMS OF THE ITALIAN SOCIETY OF AUTHORS AND PUBLISHERS (SIAE) BY THE RANSOMWARE EVEREST GROUP. THE POSTAL POLICE, THROUGH CNAIPIC (NATIONAL COMPUTER CRIME CENTER FOR THE PROTECTION OF CRITICAL INFRASTRUCTURE), IS INVESTIGATING THE ENDURANCE.
According to the post published on its blog, the ransomware group has exfiltrated no less than 60 GB of sensitive data from the servers of the Italian public economic body such as identity cards, health cards, driving licenses, credit card numbers, bank accounts. , works by associated authors …
Everest, to avoid the publication of the 28 thousand data exfiltrated by the SIAE servers, would have asked for a ransom equal to 3 million euros in bitcoin (source Ansa).
In a statement released to Ansa, the General Manager Gaetano Blandini stated that the SIAE will not pay any ransom to cybercriminals and that a notice has already been forwarded to both the Postal Police and the Privacy Guarantor.
Blandini also adds that all the people involved in the data theft will be promptly informed and that the affair will be monitored constantly, in order to secure the data of SIAE members.
Before the publication of this article SuspectFile.com wrote an email to the SIAE General Manager Gaetano Blandini, the SIAE Press Office and the Everest ransomware group asking for a statement on the matter.
We have not received any responses at the moment. The article will be updated in case of new items.