Ransomware gang sets deadline to leak 3.5 TB of Ingram Micro data The cybercriminals claiming responsibility for Ingram Micro's ransomware attack put a deadline on leaking its data nearly a month after the raid. The SafePay ransomware group posted Ingram Micro to its leak blog on July 29, saying it intends to release 3.5 TB of company data on August 1. In typical double extortion ransomware …
50 minutes on a 10Gbit leased line.
A terabyte is literally pathetic amounts of data for a large place like that and I guarantee they have way more than 10Gbit.
Plus... nobody is looking for, or will notice, slower data extraction. That blip wouldn't even SHOW on the networking of your average primary school (which are now being required to have 10Gbit leased lines), let alone a huge IT company.
And even looking for it... they're already inside, they've only got to talk an SSL session out to, say, Azure or Google Drive and how would you tell that from Marketing uploading a video to their OneDrive? You wouldn't.
Honestly, it's just not the kind of thing people can spend resources looking at, because the false positives would be humungous. Do it out of hours, in slow trickles, etc. and you would never tell.
I worked at a place that had ransomware, but we were being asked to prove that data exfiltration never occurred.
It's extraordinarily difficult to prove such a thing.
In the end, the insurers and cybersecurity forensics, etc. people as well as the ICO were satisfied because we just happened to be in the middle of an ultra-quiet period, almost nobody was on site (COVID), and this showed on the networking stats, and our backups were clean (they managed to delete some backups, but the ones they couldn't get to were clean of the ransomware).
It was only sheer luck that the thing they hit was on a server cluster, that server cluster was running a software router (Smoothwall) as a VM, and hence as soon as they affected its storage, the router (including the primary DNS, default gateway, all the inter-VLAN routing, etc.) shut down hard. That immediately stopped any exfiltration being possible without knowing the REAL gateway address on an entirely separate VLAN that only the Smoothwall used and to which all the actual physical upstream connections were forced onto at the networking ports. No other ports were configured to allow that VLAN to be accessed or routed to, even if they tried.
It was pretty simple to determine that, before, during and after the attack took hold, there simply wasn't enough data going over any of the connections to do anything in terms of significant exfiltration.
A weird combination of cloud-managed switches with full stats, and a software router as the primary gateway for EVERYTHING, saved our backsides from having to notify thousands of people that their data may have been exfiltrated.
As it was, to this day, nothing has ever come of that, and we believe that even the ransomware responsible wouldn't have had time to call home or get remotely-controlled. It was introduced by someone plugging in an unauthorised USB stick - which we know from logs - with a zero-day detected malware, that 2 years later STILL did not appear on any antivirus check as malware... our cyberforensics specialists kept checking and submitting and it always just passed straight through the AV, which is how it was able to infect us. The timing between the USB stick warning, and systems dropping off the central AV dashboard - starting with that PC - was seconds. It was able to then get into the servers, and from there escalate into the cluster hosts itself within a minute. And then everything went off because the primary gateway for ALL VLANs had been knocked offline by it doing so.
But it wasn't able to talk home and its automatic actions were to shut down the only way for it to talk home by encrypting the cluster storage and then demanding Bitcoin to an address to get the key to unlock.
We basically had an unintentional automatic lockdown because of the design of the system (which was necessitated by simply not investing in IT for a decade).
(We clearly just wiped the entire network, changed all credentials and started again extremely carefully, no ransom was paid, no data was exfiltrated).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
