• Home
  • /
  • Malware
  • /
  • RansomHouse hackers threaten to sell Shoprite data

RansomHouse hackers threaten to sell Shoprite data

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 17 Jun 2022

A hacker group has claimed responsibility for the data breach that hit retail group Shoprite last week.

The group, known as RansomHouse, is now demanding ransom from the retail chain and is threatening to sell the sensitive information to the highest bidder if its demands are not met.

Last week, Shoprite announced it suffered a suspected data compromise that impacted money transfer services.

On its website, the retailer says: “The Shoprite Group became aware of a suspected data compromise, impacting on a specific sub-set of data and which may affect some customers who engaged in money transfers to and within Eswatini and within Namibia and Zambia.”

The company has not provided any updates on the data compromise since then, but says it has reported the matter to the Information Regulator.

Nonetheless, it says an investigation was immediately launched with forensic experts and other data security professionals to establish the origin, nature and scope of this incident.

Taking to messaging app Telegram, RansomHouse says: “First of all, meet Shoprite! The company that runs your favourite stores if you live in Africa. Truth is, it’s been quite some time since we encountered something THAT outrageous: their staff was keeping enormous amounts of personal data in plain text/raw photos packed in archived files, completely unprotected. Feel free to have a look at the data sample at our website.”

The group claims to have reached out to Shoprite with its demands, to no avail.

“We’ve contacted Shoprite management and invited them to negotiate, but the only thing they did is change their passwords like it solves everything. If their position doesn’t change, most of this data will be sold with something disclosed to the public. Apart from KYC [know your customer] data, we also got lots of other interesting stuff from the company. Yes, they like to keep a lot of things unprotected.”

ITWeb reached out to Shoprite for comment but the company had not responded by the time of publication, other than issuing a standard reply: “Thank you for submitting your enquiry. The media mailbox is actively monitored and we will revert at our earliest convenience.”

Victim coercion

According to cyber security firm Malwarebytes, RansomHouse is a new extortion group that gets into victims’ networks by exploiting vulnerabilities to steal data and coerces victims to pay up, lest their data is sold to the highest bidder.

If no criminal is interested in buying the data, Malwarebytes states, the group leaks it on its site.

This group is unique in the way it extorts money from victims, says Malwarebytes, noting it appears to market itself as a penetration tester and bug bounty hunter more than the average online extortionist.

After stealing data from targets, it offers to delete it and then provides a full report on what vulnerabilities it exploited and how.

Like ransomware groups, it also has channels in place – a Telegram account and a leak site – to communicate with victims, journalists and those who want to track their activities.

Malwarebytes notes RansomHouse is believed to have emerged in December 2021 and has four victims, the first of which was Canada’s Saskatchewan Liquor and Gaming Authority, a regulator of alcohol, cannabis and most gambling in the province, which first reported a breach in that same month and year.

According to the “About” page on RansomHouse’s Onion site, it is “a professional mediators community”.

The Shoprite attack is the second high-profile case where a South African organisation’s cyber security system has been breached, with the cyber criminals demanding a ransom thereafter.

In March, credit bureau TransUnion South Africa was hacked by a group called N4aughtysecTU, which demanded a $15 million (R223 million) ransom over four terabytes of compromised data.

This, as South African organisations are increasingly being targeted by cyber criminals.

For example, last month pharmacy retail giant Dis-Chem was hit by a cyber attack that exposed about 3.6 million personal records of South Africans.

In September, over a million South African citizens potentially had their personal data exposed after a ransomware attack at debt recovery services firm Debt-IN Consultants. Most local banks make use of Debt-IN Consultants’ services.

In August, credit bureau Experian suffered a breach of data, which exposed some personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.

The Information Regulator, in October, expressed shock that Experian customer data was recently leaked on Telegram, in what appeared to be a continuation of the data breach the credit bureau experienced last year.

Also last year, big-four bank Absa suffered a data leak, which exposed customer data to external parties.

Ransomware attacks have also become common in SA, with organisations like Transnet, the justice department and the South African National Space Agency recently falling victim.