Fraud Management & Cybercrime
Incident & Breach Response
DarkSide Ransomware Operation Had Claimed Clothing Retailer Was Victim of Its Attack
Clothing retailer Guess suffered a ransomware attack and data breach earlier this year that exposed personal information for an unspecified number of individuals.
See Also: Live Webinar | Improve Cloud Threat Detection and Response using the MITRE ATT&CK Framework
As Bleeping Computer first reported, citing a data breach notification letter issued by Guess to 1,304 affected Maine residents, Guess says criminal hackers accessed its systems from approximately Feb. 2 to Feb. 23 and that the intrusion was “designed to encrypt files and disrupt business operations.”
Los Angeles-based Guess has 1,580 stores globally, including 280 in the U.S. and 80 in Canada.
“Upon discovery of the incident on Feb. 19, Guess activated its incident response plan and a cybersecurity forensics firm was engaged to assist with the investigation and containment,” Guess’s breach notification says. “On May 26, the investigation determined that personal information related to certain individuals may have been accessed or acquired by an unauthorized actor.”
Potentially exposed information includes Social Security numbers, driver’s license numbers, passport numbers and financial information.
By June 3, Guess said it had identified all likely victims and their mailing addresses; it began mailing them on Friday. Guess says it’s offering one year of prepaid identity theft monitoring to all victims.
“Guess has also established a dedicated call center for individuals to call with questions about the incident or enrolling in credit monitoring services,” it says. “To reduce the risk of a similar incident occurring in the future, Guess implemented additional measures to further enhance the security of its network and existing security protocols.”
The clothing retailer didn’t immediately respond to a request for more information about the incident, including how many individuals’ personal details were affected, how many systems got locked by attackers or if Guess paid any ransom.
But in a statement sent to Bleeping Computer, Guess stated that as part of its investigation, it notified law enforcement agencies of the intrusion and also “notified the subset of employees and contractors whose information was involved.” In addition, Guess said that “the investigation determined that no customer payment card information was involved” and also that “this incident did not have a material impact on our operations or financial results.”
DarkSide Claimed Guess as Victim
The data breach tracking blog DataBreaches.net on April 12 noted that the DarkSide ransomware-as-a-service operation had listed Guess as a victim on its data leak site.
“DarkSide claims to have exfiltrated more than 200GB of data, and posted a number of samples as proof,” DataBreaches.net reported. In the listing, as is typical, DarkSide included no specific ransom demand, but did reportedly advise Guess: “‘We recommend using your insurance, which just covers this case. It will bring you four times more than you spend on acquiring such a valuable experience.”
DarkSide functioned as a ransomware-as-a-service operation, meaning its administrators developed ransomware and surrounding services – such as a dedicated data leak site – while affiliates downloaded the crypto-locking malware and used it to infect victims. Whenever a victim paid a ransom, the affiliate and operator shared the profits.
On May 7, however, DarkSide appeared to overstep, hitting Colonial Pipeline Co., which supplies fuel for 45% of the U.S. East Coast, leading to many individuals hoarding fuel as the White House worked to calm accompanying fears.
In the wake of that attack, DarkSide reported via its data leak site that “we lost access to the public part of our infrastructure, in particular to the blog, payment server, CDN servers,” and said also that “the hosting panels have been blocked,” threat intelligence firm Intel 471 reported at the time.
As a result, DarkSide on May 13 claimed that it would stop all affiliate operations, reimburse all affiliates for attacks and issue decryption tools for them to share with victims.
Whether any of that actually happened remains unclear (see: Ransomware Gangs ‘Playing Games’ With Victims and Public).
What happened to stolen Guess data – for example, if a DarkSide affiliate responsible for the attack sold it to others – also remains unclear, as does whether Guess received a decryption tool from DarkSide.