A cybercriminal named LeakBase has claimed to have added Puma’s database to a hacker forum. The database is allegedly from the official store in Chile with details including user emails, phone numbers, names, addresses, and coupon codes among others. The post boasted of containing 237,013 user records while there was no mention of a ransom payment.
However, a detailed look at the data samples listed shows similarities to the set that was leaked in an earlier ransomware incident.
Although the company never confirmed paying the ransom, the incident indicates that payment is no guarantee for your data to be safe.
PUMA ransomware attack
According to the post, 84 MB of the data was available in .csv format from the website cl.puma.com.
The PUMA data breach post used Spanish terms to refer to the files in the data including ‘documento’, ‘Medio de pago’, ‘Estado del pago’, and ‘Ciudad’ suggesting that either LeakBase was trying to amuse readers or they are bilingual i.e., Spanish. In the PUMA data breach post, the group claimed to have the following details:
- Documento (document)
- Purchase data
- Bill-to name
- Ship-to name
- Grand Total – base
- Grand Total – purchased
- Billing address
- Shipping address
- Shipping and handling
- Medio de pago (payment method)
- Oms number
- Coupon code
- Cart rule
- Estado del Pago (payment status)
- Ciudad (city)
Minting through vacuum using the Adidas data leak
This could also be the effect of the previous ransomware attack just like the data leak of Adidas that happened on November 25, 2022. This data breach at the sportswear giant has been garnering attention on various dark web forums despite being almost 2 months old.
The recent trend in the data dump suggests that hackers and those who allegedly have leaked data from various sources are now either selling the data on hacker forums or leaving it for others to download without a price.
A recent study by Chainalysis backs this occurrence and observation that states that cybercriminals are not making as much revenue because victims are no longer making ransom payments seeing that the data is exposed either way by the devious hackers.
The decreasing ransom payments
The report brought forward some startling findings including the sharp dip in ransom revenue to cybercriminals from $765.6 million in 2021 to $456.8 million in 2022.
Ransom payment was about $46 million in 2017, which increased to $174 million in 2019 as shown in the figure below:
Companies are no longer paying ransom, as it is a given that the data will be leaked anyway. However, ransomware groups are still trying to make their attack work sometimes by rebranding their group, splitting away such as in the case of the Conti ransomware gang, and creating newer groups. Just like Conti affiliates, a ransomware group leader Stern joined hands with strains like Royal, and Karakurt when Conti stopped being active in 2022.
Government and legal authorities are urging ransomware victim organizations not to encourage cybercriminals by making ransom payments. With some governments pondering over making ransom payment a punishable offense, companies seem to be denying cybercriminals’ demands.
Delinea, a leading provider of privileged access management (PAM) solutions for cybersecurity businesses, surveyed 300 US-based IT decision makers and found the number of victimized companies who paid the ransom declined from 82% to 68%.
Larger companies are much more likely to be victims of ransomware, as 56% of companies with 100 or more employees said they were victims of ransomware attacks.