Access to the network of document storage and records lifecycle solutions provider ZircoDATA was sold on the Exploit forum in January about a fortnight before the company's data was encrypted by the Black Basta ransomware group.
The access was sold by an initial access broker known as Crypmans, according to a post on X by ransomware threat researcher Brett Callow who works for the New Zealand-headquartered security firm Emsisoft.
As iTWire reported, ZircoDATA said it had noticed unauthorised access of its servers on 28 February.
On Saturday, the Sydney Morning Herald made the misleading claim that both Black Basta and Crypmans had attacked ZircoDATA, when in reality Crypmans had played the role of a broker and sold access to Black Basta.
{loadposition sam08}A tech industry insider said it was rather surprising that the attack succeeded despite access being sold on a well-known cyber crime forum monitored by both researchers and law enforcement.
Access to #ZircoDATA's network was seemingly sold on Exploit forum in January, just under 2 weeks before the company's data was encrypted by Black Basta. h/t @Cyberknow20 #ransomware 1/2https://t.co/Z50Go9llUS pic.twitter.com/cWxXJLz7A3
— Brett Callow (@BrettCallow) May 5, 2024
A blogger known as Cyberknow said Crypmans appeared to have a good reputation on Exploit forum judging from the fact that 16 hours after he (Crypmans) offered access to ZircoDATA, it was snapped up.
Cyberknow wrote: "Largely, IABs [initial access brokers] on underground forums use Zoominfo and Linkedin to source the information about victims and to provide context for the access they have on sale.
"Their goal is to provide enough information to entice the sale of the access, but not enough information that they will give away who the victim is. This balance can often give us the opportunity to discover who the victim is and provide some form of warning."
He provided a likely timeline:
- IAB [initial access broker] must have gained access to the victim organisation prior to 16 January.
- IAB posts the victim for the first time on 16 January - there is lots of interest from forum users.
- IAB removes the post on 19 January - Possible access issues.
- IAB possibly regains access between 19 January and 25 January.
- IAB re-posts the victim on 25 January 2024. Access is sold privately within six hours.
- 22 February: The victim's data is posted to a ransomware leak site.