'Cuba' Ransomware Gang Hits Payment Processor, Steals DataCalifornia DMV and Washington Cities Among Those Issuing Data Breach Notifications
A ransomware-wielding gang has hit a Seattle-based billing and payment processing provider used by organizations and government agencies across California and Washington.
The "Cuba" ransomware gang has taken credit for the hit against Automatic Funds Transfer Services, saying on its dedicated leaks site - reachable only via the anonymizing Tor browser - that it left AFTS crypto-locked as of Feb. 4.
The leaks site listing says "financial documents, correspondence with bank employees, account movements, balance sheets and tax documents" were among the information the gang stole. The AFTS listing on Cuba's leaks site also states that the ransom demand was "paid."
AFTS provides payment processing, billing, printing, mailing and other services to California's Department of Motor Vehicles, as well as numerous Washington municipalities, among other organizations. The connection between the AFTS breach and the Cuba ransomware attack was first reported by Bleeping Computer.
AFTS didn't immediately respond to a request for comment. But according to a Thursday breach notification issued by the Washington city of Puyallup: "AFTS has hired a forensic company to address the ransomware attack and is attempting to retrieve all its information, and has reported the ransomware attack and potential breach of customer information to the police and FBI."
As of Friday, the AFTS website remained unavailable, resolving only to this message: "The website for AFTS and all related payment processing website are unavailable due to technical issues. We are working on restoring them as quickly as possible."
According to the company's LinkedIn page, it processes more than 200 million addresses monthly.
Cuba Gang Sometimes Sells Stolen Data
Cuba is yet another ransomware operation in which attackers sometimes steal data before leaving systems crypto-locked, then leak the data to try and force victims to pay. The ransomware appends ".cuba" to files it encrypts.
There is no indication that the gang has any connection with the country of the same name.
"Cuba first emerged in late 2019 and is fairly vanilla ransomware. Like multiple other groups, Cuba's operators exfiltrate data and publish it on a so-called leak site should the company not comply," says Brett Callow, a threat analyst at security firm Emsisoft. "Somewhat unusually, Cuba only makes some exfiltrated data available at no cost; other data it sells."
For example, Cuba's leaks site currently lists seven victims' data for free access and only AFTS under the category of "paid content."
In terms of selling stolen data, "other groups likely do this too, whether their victims pay or not, but are just not as open about it," Callow says. "Egregor, for example, stated it only published data that could not be sold, REvil auctions it and Clop states: 'If you are interested in detailed logs and files of any companies, we have - write to us.'"
Breach Triggers Numerous Notifications
The AFTS breach first came to light on Feb. 8, when numerous organizations began issuing data breach notifications to customers or residents in the wake of the breach. One victim, Lakewood Water District in Washington, says in its alert: "The AFTS servers were encrypted by ransomware sometime between the evening of Feb. 3 and the morning of Feb. 4. There is no direct threat to the district’s network as a result of this incident."
The city has been made aware of a security/data incident involving a ransomware attack on our utility billing payment processor, Automatic Funds Transfer Services, Inc. between the evening of Feb 3 and the morning of Feb 4. For more information, visit https://t.co/jggZS9J5ve.— City of Auburn (WA) (@auburn_wa) February 12, 2021
By law, organizations must alert both California and Washington state residents if their personal details were exposed. "Washington law requires businesses, individuals and public agencies to notify any Washington resident who is at risk of harm because of the unauthorized acquisition of data that compromises the security, confidentiality or integrity of that resident’s personal information," according to the state attorney general's office.
In addition, for any breach that affects more than 500 Washington residents, a copy of the breach notification must be sent to the attorney general's office.
California has similar requirements in place.
California DMV Affected
The full roster of affected organizations remains unknown. But California's DMV on Wednesday warned that state driver information may have been exposed in the attack, "including the last 20 months of California vehicle registration records that contain names, addresses, license plate numbers and vehicle identification numbers."
The DMV says it has used AFTS "since 2019 to cross-reference addresses with the national database - which gets updated whenever someone files a change of address with the U.S. Postal Service National Change of Address Database - to ensure vehicle registration renewal notices are mailed to a customer’s current address."
In the wake of the breach, "the DMV is initiating an emergency contract with a different address verification company to ensure there are no impacts to customer service," the state agency says. "The DMV is reviewing processes with AFTS to determine the further security enhancements needed to prevent future breaches."
Washington Cities Affected
In Seattle, meanwhile, "a small number of city departments" use AFTS, including the city's animal shelter, which notes: "As we learn more about whether and how the event impacted the city, the city will notify individuals whose personal information was acquired without authorization as a result of this event."
Affected organizations say there may be some resulting delays. "Due to the current circumstances, utility statements mailed to our customers may be delayed, however, we are not imposing late fees at this time," the city of Lynwood says.
Data breach notifications also urge individuals to keep a close eye on their bank and credit card accounts for signs of unusual activity.
Full Extent of Breach Unknown
AFTS has yet to file a breach notification, as required, although it's probably first trying to ascertain exactly which individuals might have been affected.
Exactly what types of data were compromised by attackers apparently has not yet been determined.
The Lakewood Water District, for example, notes in its notification: "For residents or businesses who pay their utility bills by mailing a paper check, scanned copies of their paper checks are also stored on the AFTS servers, which include bank account and routing information. It is unknown at this time whether these scanned copies of checks have been illicitly extricated from the network."
Port of Edmunds, meanwhile, states that "the information stored in the AFTS databases is limited to data necessary to fulfill billing, payment processing of paper check payments, bank bill pay payments and ACH automatic payments."
Based on the victims' notifications, it appears that AFTS holds no Social Security numbers, driver's license numbers or credit card numbers.
But at least some personal information - including names, addresses, email addresses, bank account details and payment or invoice amounts - does appear to have been exposed. Accordingly, there's increased risk from scammers or fraudsters who might use the information to try to trick individuals or commit identity theft.
Emsisoft's Callow notes that this situation is similar to the 2020 breach of Blackbaud. That South Carolina-based, publicly traded firm, which provides cloud-based marketing, fundraising and customer relationship management software used by thousands of charities, universities, healthcare organizations and others, suffered a data exfiltration and ransomware attack last May. Affected organizations subsequently issued breach notifications revealing that collectively, information on millions of individuals was exposed.
News Editor Doug Olenick contributed to this report.