In the latest development in the AKPK Malaysia data breach, ransomware attack group BlackCat/ALPHV has claimed responsibility for the attack.
Malaysia’s Agensi Kaunseling dan Pengurusan Kredit (AKPK), a credit counseling and management agency recently disclosed a cybersecurity incident.
“A ransom request was received and relevant authorities and experts agreed with AKPK’s decision to
reject the ensuing demand,” AKPK Malaysia said in a statement posted earlier.
In what appears to be a retaliation, the ALPHV ransomware group claimed that it has downloaded over 1.5 million files from AKPK’s computer network, making it the latest victim of the group.
AKPK offers various financial services, including debt management, credit restructuring, financial planning, and budget management, and conducts seminars and training programs aimed at promoting financial literacy.
Following the breach, AKPK notified authorities, secured its server, and began investigating the incident with cybersecurity experts.
AKPK Malaysia data breach and the rise of ALPHV ransomware group
The ALPHV ransomware group is known for its indiscriminate targeting of businesses and organizations and is now in possession of sensitive information belonging to AKPK, potentially exposing the personal and financial information of its clients.
The severity of AKPK Malaysia data breach is yet to be determined, but the group has reportedly uploaded half of the downloaded files to its servers, which include attachments and uploads.
As a result of the breach, AKPK has taken some of its operational systems offline temporarily to prevent further risks, and the company is gradually bringing its systems back online once it has established that it is safe to do so.
“First observed in November 2021, ALPHV, also known as ALPHV-ng, BlackCat, and Noberus, is a ransomware-as-a-service (RaaS) threat that targets organizations across multiple sectors worldwide using the triple-extortion tactic,” said cybersecurity company Varonis in a threat assessment report.
Building upon the common double-extortion tactic in which sensitive data is stolen prior to encryption and the victim threatened with its public release, triple-extortion adds the threat of a distributed denial-of-service (DDoS) attack if the ransomware group’s demands aren’t met.
The group is actively recruiting ex-REvil, BlackMatter, and DarkSide operators and has increased its activity since November 2021. ALPHV targets organizations across multiple sectors worldwide and offers lucrative affiliate payouts of up to 90%.
The ransomware executable used by ALPHV is Rust-based, fast, cross-platform, and heavily customized per victim. It uses AES encryption by default and has built-in privilege escalation, such as UAC bypass, Masquerade_PEB, and CVE-2016-0099.
ALPHV can propagate to remote hosts via PsExec, delete shadow copies using VSS Admin, and stop VMware ESXi virtual machines, deleting snapshots, the report noted.
AKPK Malaysia data breach: The timeline
The AKPK Malaysia data breach came to light on March 20, when the firm announced an IT outage. On 23 March, AKPK Malaysia confirmed that the online services are down and it might take longer than expected to get them back on track. However, the company then refrained from listing the cause.
In a media statement issued on 30 March, the company conceded that its servers containing customer data have been illegally accessed. The breach has led to some of the operational systems being temporarily compromised, resulting in the system being taken offline to prevent further risks.
The company provided workarounds where possible to continue serving the needs of its customers. The investigation into the attack is ongoing. In the media statement and an FAQ statement that followed, the company conceded that there was a ransom demand, but was unsure who was behind the attack.
“We are committed to sharing significant developments as the investigation progresses,” AKPK maintained.
According to the firm, it is unclear whose information has been accessed. However, it is possible that customers’ personal details, loan exposure details, and debt management programmes may have been compromised. The company stated that it will notify customers as soon as more information becomes available.
The company said it is currently working closely with third-party cybersecurity experts to bolster its cyber defences and iron out vulnerabilities in the system.
Meanwhile, the company’s online services are inaccessible, but all AKPK branches are still open. Customers can check their DMP payment status by calling the customer service hotline or proceed with the payment as usual and keep the receipt as proof of payment.