Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Atlas Oil: The Consequences of a Ransomware Attack

Overview

Atlas Oil, a major player in the oil and fuel distribution industry, fell victim to a ransomware attack orchestrated by the Black Basta group. This attack not only compromised sensitive company data but also exposed a variety of documents that could potentially harm the company’s operations and reputation. Overall, Black Basta claims to have exfiltrated approximately 730 GB of data.

It was hard to find proof that Atlas Oil accepted any responsibility or even officially disclosed that the compromise even happened. However, if you pay close attention to their website, you’ll see an easy to miss link at the top of the page reading, “For information regarding the recent data breach, click here.”

The link takes you to the JPEG image you see below.

Figure 1 Atlas Oil’s official response to the data breach

Figure 1: Atlas Oil’s official response to the data breach

This was most likely done to prevent search engines from indexing the content and helped to downplay the coverage of the compromise. This is a good time to reinforce that security is about trust. If you are less than transparent when a compromise occurs, why should anyone trust that you take the security of your services or products seriously in the first place?

 

The Potential Impact

The breach of any large US company potentially could have global consequences. A ransomware attack on a high-ranking company like Atlas Oil can trigger a cascade of economic challenges at multiple levels, from local state economies to the global market, and across various industries, highlighting the critical need for robust cybersecurity frameworks and proactive risk management strategies.

The global oil market is highly sensitive to disruptions, and any significant interruption in supply from a major US company could lead to international volatility in oil prices. Luckily, we haven’t seen any of these repercussions at this point.

With 730 GB of data allegedly stolen, the Atlas breach has the potential to include sensitive information such as financial records, customer details, contracts, and internal communications. Exposure of such data can lead to severe reputational damage and loss of customer trust.

 

Black Basta Posts “Proof” of the Attack

Black Basta posted screenshots to prove their claims in obtaining private company data.

Figure 2 Black Basta Dark Web Website, short information about the targeted company

Figure 2: Black Basta Dark Web Website, short information about the targeted company

The post has a countdown timer that shows the remaining time before all data will be published. To prove its claims the ransomware group posted a series of screenshots that should prove its seriousness.

Figure 3 The Ransomware group Black Basta Dark Web Website, a screenshot of the folders claiming to be downloaded by attackers

Figure 3: The Ransomware group Black Basta Dark Web Website, a screenshot of the folders claiming to be downloaded by attackers

This screenshot published by Black Basta shows a directory structure of the company’s internal files and documents. Here's a rundown of the content:

Directory Overview:

  • The screenshot shows a vast array of folders, totaling over 280 directories in the first column, seven in the second column, and 214 in the third column. These directories are well-organized and cover various aspects of Atlas Oil's operations.
  • The directory names indicate sensitive business information, including financial records, legal documents, customer service data, and employee-related files.

Categories of Data:

  • Financial and Audit Data: Directories like "2022 Supplier Package", "2023 Audit Invoices", "Accounts Payable", and "Audit File" suggest the presence of detailed financial records.
  • Customer and Supplier Information: Folders such as "2023 Customer Service", "Amazon-Extreme", and "Angie Commercial Transport" indicate customer service records and supplier transactions.
  • Legal Documents: Several directories under "LEGAL DEPT" highlight legal documents, Employee Information: The third column lists individual employee directories, likely containing personal and professional information about Atlas Oil employees.
  • Operational Data: Directories like "ATLAS MARINE", "Back Office", and "Billing Department" indicate data related to day-to-day operations.

Specific Sensitive Data:

  • Personal Identifiable Information (PII): Employee directories may contain PII such as names, addresses, Social Security numbers, and other personal details.
  • Confidential Business Information: Folders labeled "SGH Confidential", "Pricing$", and "Credit Dept" suggest confidential and potentially proprietary business information.

The screenshot below shows potential data exposure by displaying collections of IDs, Passports, Driver's Licenses, and Social Security Numbers.

Figure 4 The Ransomware group Black Basta Dark Web Website, the screenshot  illustrates a set of the possible company employees private documents

Figure 4: The Ransomware group Black Basta Dark Web Website, the screenshot illustrates a set of the possible company employees' private documents

The data dump also contained notarized documents containing additional private information.

Figure 5 The Ransomware group Black Basta Dark Web Website, screenshot with notary documents and private statement

Figure 5: The Ransomware group Black Basta Dark Web Website, screenshot with notary documents and private statement

Some of the scanned documents included payroll information. This type of information can have far-reaching and severe consequences for the individuals and the organization. Payroll information often includes salary details, bank account information, and other financial data that can be used by cybercriminals to commit fraud, such as unauthorized bank transactions or creating fraudulent accounts.

Figure 6 The Ransomware group Black Basta Dark Web Website, screenshot with payroll documents

Figure 6: The Ransomware group Black Basta Dark Web Website, screenshot with payroll documents

Birth certificates and special licenses contain critical personal information such as full names, birthdates, and sometimes Social Security Numbers, which can be used. A criminal with access to employee forms that include financial details can engage in financial fraud, including opening credit accounts, taking out loans, or making unauthorized purchases in the victim's name.

Figure 7 The Ransomware group Black Basta Dark Web Website, the screenshot of the Birth Certificates

Figure 7: The Ransomware group Black Basta Dark Web Website, the screenshot of the Birth Certificates

 

Conclusion

The exfiltration of sensitive information, such as IDs, driver's licenses, Social Security Numbers, employee forms, special licenses, and birth certificates, can have profound and far-reaching consequences. For individuals, the risks include identity theft, financial fraud, personal safety threats, and a significant loss of privacy. These breaches can lead to unauthorized access to personal and financial accounts, potentially resulting in substantial personal and financial losses.

For the organization, the ramifications are equally severe. The breach can cause considerable damage to the organization's reputation, losing trust among customers, partners, and stakeholders. Financial losses can also occur due to fines, legal fees, and the costs associated with mitigating the breach and restoring affected systems. Operational disruptions are likely as the organization shifts focus to manage the crisis, potentially impacting productivity and service delivery.

The data breach at Atlas Oil underscores the critical need for robust cybersecurity measures. The exposed information highlights the potential for significant financial losses, operational disruptions, legal liabilities, and reputational damage. Atlas Oil must take immediate action to mitigate these risks, including notifying affected parties, enhancing cybersecurity measures, and conducting a thorough investigation to understand the full impact of the breach.

Organizations must prioritize the implementation of strong security protocols, regular employee training on data protection practices, and the development of comprehensive incident response plans. These measures are essential to protect against cyber threats and mitigate the impact of potential data breaches.

By taking proactive and comprehensive steps, organizations can better protect themselves against the potentially devastating impacts of data breaches and safeguard their employees' and customers' privacy and security.

Latest SpiderLabs Blogs

Cloudy with a Chance of Hackers: Protecting Critical Cloud Workloads

If you've been following along with David's posts, you'll have noticed a structure to the topics: Part I: The Plan, Part II: The Execution and now we move into Part III: Security Operations. Things...

Read More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More