The Medusa ransomware group has demanded $3.5 million from the Chemring Group on their leak site, along with a looming threat to leak 186.78 GB of sensitive documents claimed to have been obtained from the Chemring Group data breach.
The group set the negotiation deadline as May 16, 2024, providing the victim about 9 days to surrender to demands while also presenting additional options such as prolonging negotiation period, removing or downloading the data allegedly stolen during the attack at varying prices.
The Chemring Group is a multi-national UK-based business that provides a range of technology solutions and services to the aerospace, defence and security markets around the world.
The Chemring Group data breach post was shared on the threat actor’s data leak site along with 3 American organizations listed as victims. However, the authenticity of these claims is yet to be verified.
While the Chemring Group refutes any major compromise, they have confirmed an ongoing investigation into the alleged data breach.
Medusa Hackers Demand $3.5 Million Following Chemring Group Data Breach
On the leak site, the ransomware group demanded a ransom of 3.5 million USD with a negotiation deadline of 16th May 2024. The group allegedly exfiltrated 186.78 GB of confidential documents, databases, and SolidWorks design files. However no sample data had been shared making it harder to verify the group’s claims.
Additionally, the leak site provided the victim with the options to add an additional day to make ransom negotiations for 1 million, to delete all the data for 3.5 million or download/delete the exfiltrated data for 3.5 million.
The Chemring Group PLC listing was also accompanied by the listing of three alleged victim organizations, including One Toyota of Oakland, Merritt Properties and Autobell Car Wash.
After being reached out for additional details by The Cyber Express team, a Chemring Group spokesman made the following statements about the alleged ransomware attack:
Chemring has been made aware of a post that has appeared on X (formerly Twitter) alleging that the Group has been subject to a ransomware attack.
An investigation has been launched, however there is currently nothing to indicate any compromise of the Group’s IT systems, nor have we received any communication from a threat actor suggesting that we have been breached. We confirm that all Chemring businesses are operating normally.
Our preliminary investigations lead us to believe that this attack was on a business previously owned by Chemring but where there is no ongoing relationship or connection into our IT systems.
As this is subject to an ongoing criminal investigation we cannot comment further at this stage.
Who is Medusa Ransomware Group?
The MedusaLocker ransomware group has known to have been active since September 2019. The group usually gains initial access to victims’ networks by exploiting known vulnerabilities in Remote Desktop Protocol (RDP).
The Medusa ransomware group has been observed to increase their attack campaigns after the debut of a their dedicated data leak site in February 2023. The group primarily targets healthcare, education and public-sector organizations inits campaigns.
The group was previously responsible for an attack on Toyota in December 2023 in which the group obtained access to sensitive details such as names, addresses, contact information, lease-purchase details, and IBAN numbers.
The incident prompted the company to adopt stronger data protection and notify affected customers while informing details about the breach to relevant authorities.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
