RansomExx Ransomware Gang Dumps Stolen Embraer Data: Report

data dump

The group published files stolen from the Brazilian aircraft manufacturer in a ransomware attack last month.

Hackers have dumped sensitive company data that was stolen during a ransomware attack last month on aircraft manufacturer Embraer. The compromised data appeared on a new dark web site created to publish leaked information, according to a published report.

The move appears to be a revenge for the Brazilian-based company’s refusal to pay a ransom in the attack, choosing instead to restore affected systems from backup, according to a report in ZDNet published early Monday. The files were published on a recently-created dark web site managed by the RansomExx ransomware gang, also known as Defray 777, according to the report.

Embraer is the third-largest producer of airliners behind Boeing and Airbus. The company acknowledged in a statement on Nov. 30 that a cyberattack that accessed “only a single environment of the company’s files” occurred on Nov. 25.

“As a result of this occurrence, the Company immediately initiated its procedures of investigation and resolution of the event, as well as proceeding with the proactive isolation of some of its systems to protect the systems environment, thus causing temporary impact on some of its operations,” according to the statement.

Embraer did not specify what kind of attack the company suffered, or if data was stolen from the accessed environment. The hundreds of megabytes of data files found on the RansomExx site include folders pertaining to employee data, supply-chain subcontracts, and source code, 3D models and photos of Embraer aircraft, according to the report.

Embraer is not the only company with leaked data appearing on the leak site, which reportedly launched over the weekend on Saturday. Data stolen from other companies that were victims of the ransomware group also appeared on the site, according to ZDNet.

Ransomware gangs have been particularly active lately in numerous high-profile attacks on large companies. RansomExx/Defray is one of the smaller groups currently operating, though perhaps the launch of the leak site is an indication that they will boost their level of activity in the coming months.

Other ransomware groups that also manage leak sites for the data stolen in ransomware attacks include Conti, Clop, Egregor and REvil, among others. Several of these groups have pulled off a number of significant attacks in the last few months, some of which resulted in data being leaked on their respective sites.

Last week Egregor hit both the Vancouver metro system Translink and U.S. retailer Kmart with ransomware attacks. Prior to that, the group also mounted major attacks in October against bookseller Barnes & Noble and gaming companies Ubisof and Crytek.

Clop and Conti also have been responsible for attacks in recent months. Last week Clop galloped off with 2 million credit cards from an attack on South Korean retail group E-Land. Conti, meanwhile, made off with data from chip manufacturer Advantech in November, publishing a list of files on its leak site to try to pressure the company to pay the hefty ransom of 750 Bitcoin, or about $14 million.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles