A 3GB archive that purportedly belongs to NameSouth, a US-based auto parts shop, has been publicly leaked by the NetWalker ransomware group.
NameSouth seems to be the latest victim of the ransomware gang that surfaced sometime in 2019. NetWalker’s targets range across multiple industries, with archives of stolen data from about a hundred victimized businesses publicly posted on the gang’s darknet website to date.
The NameSouth archive leaked by NetWalker includes confidential company data and sensitive documents, including financial and accounting data, credit card statements, personally identifiable employee information, and various legal documents.
Increase your online security and privacy by sending your data through an encrypted tunnel.
Protect your data with a VPN
Judging from backup file creation dates, the archive was exfiltrated from the NameSouth network on November 26. It appears that the data was leaked days later, after the company missed the gang’s deadline to pay the ransom.
We asked NameSouth if they could confirm that the leak was genuine but the company left our requests unanswered.
What data has been leaked?
The leaked data appears to come from NameSouth LLC, a supplier of genuine, OE, and OEM replacement auto parts for German-brand cars based in Mooresville, North Carolina. Established in 2004, the company distributes replacement parts for vehicles manufactured by Audi, BMW, Mercedes, Porsche, Saab, Volkswagen and Volvo across North America.
The leaked archive contains 3GB worth of document scans, including:
- Invoices containing tax identification numbers
- Full names, addresses, phone numbers, and exact working hours of at least 12 NameSouth employees
- Customer names and addresses
- Credit card statements dating from 2010 to 2020
- Financial and accounting data
Example of leaked invoice:
Who had access to the data?
Because the NameSouth archive was made freely available, we assume that multiple followers of the NetWalker blog, many of which are likely to be cybercriminals, were able to download and access the data since it’s been published.
The NetWalker ransomware gang tends to offer post-breach data leaks for free, and only put a price tag on them after the data has been downloaded a certain number of times. So far, the NameSouth archive is still freely available, which might indicate that the data has been accessed by a relatively small number of users.
With that said, there is a high chance that sooner or later, the confidential company data may be used by bad actors for malicious purposes.
What’s the impact of the leak?
Most of the data in the leaked archive appears to belong to the company rather than its partners or customers, which means that it is NameSouth and its employees who are the most likely to bear the brunt of the damage.
From what samples of the leaked archive we were able to access, it appears that the files in the archive contain personal information of at least 12 NameSouth employees, including their exact working hours. Such information would make it easier for bad actors to carry out spear phishing attacks against the employees.
Accessing NameSouth’s financial and accounting data, including credit card statements that date as far back as 2010, would allow criminals to commit fraud in the company’s name, such as applying for government-sponsored coronavirus relief loans.
To see if your data has been exposed in a security breach, use our personal data leak checker.
For organizations that wish to avoid becoming victims of ransomware groups like NetWalker, here are a few basic precautions to have in mind:
- Establish an intelligent threat detection system or a security incident event management system. In the event of a breach by malicious actors, such systems will alert your IT personnel about the incident in real-time and help them prevent data exfiltration from company servers.
- Use a salted secure encryption algorithm to encrypt your confidential data. When encrypted, your company data would be all but useless to attackers. The data would be scrambled by the algorithm, which would render it unreadable for unauthorized parties without an encryption key.