Dolly.com pays ransom, attackers release data anyway


Dolly.com, an on-demand moving and delivery platform, allegedly paid attackers not to publish stolen customer data. Unsurprisingly, cybercrooks found an excuse not to hold their end of the bargain.

Cybercriminals are hardly a trustworthy bunch. Case in point: Dolly.com. The Cybernews research team believes that the platform suffered a ransomware attack and at least partially paid the ransom – but was duped.

The attackers complained that the payment wasn’t generous enough and published the stolen data. Not only that, but the criminals also shared a chat with the company on an underground criminal forum.

We have reached out to Dolly.com to confirm whether the company suffered a ransomware attack and opted to pay the ransom, but we did not receive a reply before publishing.

The attack on Dolly.com

Dolly.com offers on-demand moving and delivery services in 45 US cities. The platform connects people who need help moving items with “Dolly helpers” who can assist with the heavy lifting.

Attackers posted details about the Dolly.com hack on a notorious Russian-language forum, typically employed by ransomware operators and stolen data traders.

The company was likely breached sometime in late August or early September. One of the emails between the attackers and the victim, dated September 7th, showed that Dolly.com agreed to pay the ransom.

Dolly data
Image by Cybernews.

In exchange, the attackers were asked to delete the stolen information. Our researchers believe that the cybercriminals obtained sensitive company and customer data such as:

  • High-level account login details
  • Credit card information
  • Customer addresses
  • Names
  • Registration dates
  • User emails
  • System data

The team believes the stolen credit card data includes at least the last four numbers and the card’s type. However, attackers said they had access to the entire credit card data.

Our researchers also noted that the criminal forum post included entry points for MongoDB instances hosted on Amazon Web Services (AWS) cloud, along with their admin credentials to internal Dolly.com systems.

“Moreover, all 95 AWS S3 bucket names that were hacked and belonged to Dolly.com, including backups, were attached within the post. Normally, this data type is also considered sensitive,” researchers said.

Insufficient payment

According to the attackers’ version of events, Dolly.com did pay the ransom, but it was not enough to satisfy them. Unsurprisingly, the gang did not return the payment that it deemed too small. Instead, the crooks kept the money and the data.

To add salt to the wound, the attackers uploaded the data and posted two download links on a forum infested with cybercriminals. Not only did the company allegedly lose money and data, but its attempt to mute the attack also failed. The only silver lining is that the downloadable files were later removed after being up for at least a week.

“Dolly.com paid the ransomware operator to avoid the attack going public. The attackers felt the sum was insufficient. This was later presented as the main motivation to publicize the hack and announce a data auction along with sample files and free-downloadable archive dumps,” our researchers said.

The case illustrates how ransomware operators can never be trusted, as there is no guarantee that victims who pay up won’t lose their money and data.

“If no precautions are taken, this attack might lead to many more subsequent attacks,” researchers said.

To mitigate the problems and avoid further security incidents, the team advises breached companies to:

  • Retrospectively investigate all the logs to see if the hacker’s claims are valid
  • Reset all internal tokens and other exposed sensitive or internal variables
  • Inform all the platform’s users of the hack and its possible implications
  • Perform a full-scale audit of the organization’s security posture

More from Cybernews:

Book review – Going Infinite: The Rise and Fall of a New Tycoon

Boeing data leaked, attackers promise more

The man who found a world: detecting an exoplanet

The hacker who breached NASA to prove that UFOs exist

NASA launches its own space Netflix

Subscribe to our newsletter



Comments

Daniel White
prefix 5 months ago
There's a valuable lesson here. By paying up, it encourages more and why on earth they trusted someone who was dishonest to begin with I couldnt begin to fathom.
Lexx
prefix 5 months ago
You should never pay anyway but this one ransomware group has likely caused a lot of problems for them self's now and others (as in even less likely to pay)
MadAntz
prefix 5 months ago
You never pay a ransom. Why? You may not get your data, they will probably release it anyway and most importantly it will make them and others do it again. Anything that's profitable is worth doing.
Carl
prefix 5 months ago
This may actualy teach companies not to pay. They need to higher better programmers to keep the information offline not connected to the internet
...
prefix 5 months ago
Not setting a good standard for other ransomeware attacks lol, big companies targeted in the future now know not to pay
ChipBoundary
prefix 5 months ago
Congratulations, you broke the law AND compromised your customers! Well done!
Leave a Reply

Your email address will not be published. Required fields are markedmarked