Dolly.com pays ransom, attackers release data anyway

On-demand moving and delivery platform Dolly.com allegedly paid a ransom but crooks found an excuse not to hold their end of the bargain.

Cybercriminals are hardly a trustworthy bunch. Case in point: Dolly.com. The Cybernews research team believes that the platform suffered a ransomware attack and at least partially paid the ransom – but was duped.

The attackers complained that the payment wasn’t generous enough and published the stolen data. Not only that, but the criminals also shared a chat with the company on an underground criminal forum.

We have reached out to Dolly.com to confirm whether the company suffered a ransomware attack and opted to pay the ransom, but we did not receive a reply before publishing.

The attack on Dolly.com

Dolly.com offers on-demand moving and delivery services in 45 US cities. The platform connects people who need help moving items with “Dolly helpers” who can assist with the heavy lifting.

Attackers posted details about the Dolly.com hack on a notorious Russian-language forum, typically employed by ransomware operators and stolen data traders.

The company was likely breached sometime in late August or early September. One of the emails between the attackers and the victim, dated September 7th, showed that Dolly.com agreed to pay the ransom.

Dolly data
Image by Cybernews.

In exchange, the attackers were asked to delete the stolen information. Our researchers believe that the cybercriminals obtained sensitive company and customer data such as:

  • High-level account login details
  • Credit card information
  • Customer addresses
  • Names
  • Registration dates
  • User emails
  • System data

The team believes the stolen credit card data includes at least the last four numbers and the card’s type. However, attackers said they had access to the entire credit card data.

Our researchers also noted that the criminal forum post included entry points for MongoDB instances hosted on Amazon Web Services (AWS) cloud, along with their admin credentials to internal Dolly.com systems.

“Moreover, all 95 AWS S3 bucket names that were hacked and belonged to Dolly.com, including backups, were attached within the post. Normally, this data type is also considered sensitive,” researchers said.

Insufficient payment

According to the attackers’ version of events, Dolly.com did pay the ransom, but it was not enough to satisfy them. Unsurprisingly, the gang did not return the payment that it deemed too small. Instead, the crooks kept the money and the data.

To add salt to the wound, the attackers uploaded the data and posted two download links on a forum infested with cybercriminals. Not only did the company allegedly lose money and data, but its attempt to mute the attack also failed. The only silver lining is that the downloadable files were later removed after being up for at least a week.

“Dolly.com paid the ransomware operator to avoid the attack going public. The attackers felt the sum was insufficient. This was later presented as the main motivation to publicize the hack and announce a data auction along with sample files and free-downloadable archive dumps,” our researchers said.

The case illustrates how ransomware operators can never be trusted, as there is no guarantee that victims who pay up won’t lose their money and data.

“If no precautions are taken, this attack might lead to many more subsequent attacks,” researchers said.

Cybersecurity experts at Cybernews published a set of recommendations to mitigate the problems and avoid further security incidents. Take a look at the recommendations in the original post:

https://cybernews.com/security/dolly-data-breach-ransomware-attack/

About the author: Vilius Petkauskas, Deputy Editor at Cybernews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dolly.com)

The post Dolly.com pays ransom, attackers release data anyway appeared first on Security Affairs.