Canadian vehicle rental service hit by ransomware
One of Canada’s biggest car and truck rental agencies is trying to recover after being hit by a ransomware attack.
A spokesperson for U.S.-based vehicle rental giant Enterprise Holdings acknowledged Saturday that its Canadian division, Discount Car and Truck Rentals, was hit by a cyberattack. Enterprise’s Canadian division bought Discount last fall. This is the latest Canadian firm to be victimized by ransomware on the heels of a B.C. real estate company suffering from a similar attack in late January.
Among Enterprise Holding’s brands are Enterprise Rent-A-Car, National Car Rental and Alamo Rent a Car.
As of Sunday morning, Discount’s website was still offline due to “technical issues.”
ITBusiness.ca asked the car dealership for comment when the Darkside ransomware group posted a notice on its site several days ago that it had copied 120GB of corporate, banking and franchise data of Discount’s.
“Discount Car and Truck Rentals was subject to a ransomware attack that impacted the Discount headquarters office,” according to a statement sent to the publication. “A fully-dedicated team isolated and contained the attack quickly. The team is working to investigate and restore service as quickly and safely as possible.”
Asked by email if any customer or employee personal information was copied and how the attack started, a spokesperson would only say the investigation is still underway.
The online statement from the Darkside group says, “We downloaded a lot of interesting data from your network. If you need proofs we are ready to provide you with it. The data is preloaded and will automatically be published if you do not pay.”
As proof of the data, there is a screenshot of alleged folders from Discount’s file structure.
According to cybersecurity firm Acronis, Darkside emerged around August, 2020 to use encryption and data theft as pressure tactics to get money from corporate victims. Among its Canadian victims is Brookside Residential.
Several months after starting operations, Darkside announced an affiliate program (dubbed ransomware-as-a-service by infosec pros), allowing paying or authorized cybercriminals to use its code for attacks in exchange for a share of ransom payments.
“We are a new product on the market, but that does not mean that we have no experience and we came from nowhere,” the group said at the time. “We received millions of dollars in profit by partnering with other well-known cryptolockers. We created Darkside because we didn’t find the perfect product for us. Now we have it.
“Based on our principles, we will not attack the following targets: Medicine, education, non-profit organizations, government. We only attack targets that can pay the requested amount, we do not want to kill your business. Before any attack, we analyze your accountancy and determine how much you can pay based on your net income. You can ask all your questions in the chat before paying and our support team will answer them.”
Cybersecurity firm Bitdefender released a decryption key in January, hoping it would foil the ransomware. However, Darkside published a statement saying it has “fixed” this and victims can’t rely on that solution.
Follow up on ReMax Kelowna
Meanwhile, the Conti ransomware group, which says it hit ReMax Kelowna last month, has released over 10,000 documents it says were copied in the attack. The documents include at least one T4 slip of an employee or former employee.
The attackers’ move upset ReMax Kelowna owner Jerry Redman, who in a Friday interview said he hadn’t received any threat notes or communications from the attacker before the full load of stolen data was released.
When Redman spoke to ITBusiness.ca on Feb. 5, he said attackers copied documents but couldn’t deploy ransomware. At the time, he said the documents copied were largely PDFs on a server that had corporate information. He emphasized that a server with customer information was not affected.
“I know there were ten thousand documents posted online,” Redman said Friday. “But that’s less than one per cent of the data on my server. So they never got my server.”
“We will be notifying anybody of anything that is gone. None of our client information is on that [compromised] server. If there’s a T4 slip on that server it would have been one of my staff who work for us, or for the company before I owned it.”
All staff have been told there is a possibility personal data has been copied, he said.
Asked how much personal data about individuals was dumped by the threat group, Redman said it will take a bit of time to confirm.
“We’re still analyzing the data now … Anybody we need to help will be looked after,” he explained.
Cybersecurity experts emphasize the importance of lowering the odds of being hit by ransomware through cybersecurity basics. That includes knowing where sensitive data is and protecting it through access control and encryption; updating and patching software systems, including websites, particularly antivirus and antimalware software; and training employees to look for and not click on suspicious email attachments and links.