South Carolina's Summerville Police claimed by rumored ALPHV/BlackCat ransomware reboot


The Town of Summerville, South Carolina, on Friday announced it was the victim of a recent ransomware attack. Now, the cyber gang allegedly responsible for the hit is claiming to have stolen over 1.7TB of sensitive information from its local police department.

Government officials from the Charleston suburb put out a press release about the cyberattack, posting the notice on its municipal website and its Facebook page on Friday afternoon.

“The Town of Summerville recently faced a cyberattack involving ransomware,” the announcement said without identifying a specific timeline for the incident.

ADVERTISEMENT

The town, which has just over 50,000 residents and is listed as the seventh largest in the state, said the attack was “quickly identified and contained, significantly minimizing potential damage” due to its “vigilant monitoring systems.”

The release further stated that, based on its findings from state and federal cybersecurity teams, “there is no evidence to suggest that any data or sensitive documents were compromised.”

Town of Summerville ransom attack statement
Image by Cybernews.

SPDSC claimed by ransomware gang

And this is where it gets tricky.

The statement comes as a fairly new ransomware group – the Embargo group – also posted on its dark leak blog Friday that it had exfiltrated 1.71TB from the Summerville Police Department (SPDSC) during the attack.

According to Friday’s release, “all municipal departments, including police, fire, and public works, are fully operational and continue to respond to all calls, ensuring the ongoing safety and security of our residents.”

It’s not clear if the cybercriminal gang posted its claims as a response to the Summerville statement on the attack, as both appear to have been listed within hours of one another.

ADVERTISEMENT

Cybernews reached out to town officials about the group’s claims but received no response by the time of publishing.

Embargo’s darkweb leak site gave the SPD a countdown date of four days (July 30th), to presumable make contact and pay the gang a ransom demand or the department’s data will be published.

Embargo did not provide any samples of the data allegedly stolen in the attack, or list any details about the said information – a common practice for many ransomware groups as proof of their claims.

Embargo Summerville PD
Embargo dark leak site. Image by Cybernews.

Besides criminal investigations, the Summerville Police lists numerous services on its website that may store sensitive data on residents, including community outreach, victim advocacy, employee fingerprinting, as well as school resource teams that place police officers in local schools daily.

The group did, however, post a not-so-friendly racially charged accusation about the Summerville PD calling out the department for “providing the highest level of service in shooting black children.”

The ransomware group also posted the name and contact details to Summerville’s Chief of Police and the department’s network administrator.

To note, Cybernews did not find any official accusations or other media-related stories tying the SPD to any racially-charged shootings.

An off-duty Summerville police officer, also former NYPD, was charged with murder this April for shooting another man outside of a South Carolina Chick-fil-A, but that victim was white.

ADVERTISEMENT

Summerville official said authorities will “thoroughly investigate the incident and conduct a comprehensive forensic review of all our systems,” adding that more updates will be provided as information becomes available.

Is Embargo a rebrand of ALPHV/BlackCat?

Not much is known about the Embargo ransomware group, which first appeared on the ransomware scene this past April 17th, claiming the well-established Mulford Construction Company in the Washington, DC area.

Summerville Police are listed at the top, but is only the 9th victim on the gang’s site, although the Cybernews Ransomlooker search too lists Embargo’s victim count at 11.

“We are an international team without any political affiliations,” the group states on its About page, which also provides a TOX ID for victims to get in contact, as well as a PGP key to encrypt and verify messages on the two-page barebones dark website.

Embargo Ransomlooker graph

Still, several profiles on the new gang have found numerous similarities between Embargo and the now-defunct ALPHV/BlackCat ransomware group, which quietly disappeared in March just days after the UnitedHealth Group paid the infamous cartel a $22 ransom demand over the devastating Change Healthcare ransomware attacks.

The group's industrial site design and user interface (UI) are another of those similarities, according to a deep dive into Embargo's ransomware and tactics by threat intelligence security firm Cyble this May.

Analyzing a sample of the gang’s ransomware variant – just like ALPHV’s BlackCat signature ransomware – Cyble researchers found it was created using the cross-platform compatible Rust programming language, which is almost impossible to reverse engineer without an encryption key.

Further similarities noted by Cyble researchers include “an overlap in the structure and syntax used for generating log files” in the Rust binaries, leading them to believe that the Embargo variant “might be a rewritten version of ALPHV.”

ADVERTISEMENT

Both gangs are also known for their double extortion techniques, where the attackers will demand a first ransom payment to decrypt a victim’s data, followed by a second ransom demand to guarantee the attackers will not leak the stolen data.

A typical Embargo ransom demand is said to be about $1 million.

The group’s biggest get so far seems to be the Australian investment and home loan company FirstMac, also breached in April.

Although Embargo's dark site only shows one page of victims at present, the website also shows it was pre-made with 100 available pages to flip through, presumably when they are filled with Embargo victims.