Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data
Marco A. De Felice aka amvinfe 01/09/2023 BreachForumsCyberOpticsLaser Design Inc.NordsonPerceptron Inc.RansomwareSchoolBoysGang
Share via:
Twitter
Facebook
More
Not only problems due to a cyber attack and the theft of almost 650 GB of data which took place between the end of August and the first days of last September. CyberOptics Corporation (CyberOptics), a Minneapolis, Minnesota-based multinational company that develops and manufactures high-precision 3D optical sensing technology solutions, may face lawsuits in the coming months related to Nordson Corporation’s (Nordson) acquisition of its corporate capital.
Some law firms, Weiss Law – Halper Sadeh, LLC – Brodsky & Smith, LLC – Monteverde & Associates PC, are investigating possible violations related to fiduciary duty and other violations of US federal and state laws. The investigations carried out by the law firms will serve to establish whether the price paid for each share ($ 54.00 in cash) should be considered satisfactory for CyberOptics shareholders.
Between the end of August and the beginning of September 2022, according to research carried out by SuspectFile, CyberOptics Corporation is hit by a cyber attack. A new ransomware group, SchoolBoysGang, manages to enter the IT systems of the American multinational after managing to exploit a server-side vulnerability thanks also to the poor protection of the network systems. This is one of many responses a gang member gave us via email
We used a popular vulnerability on their server at that time, their cybersecurity was at zero and we were very surprised by this.
SuspectFile was able to follow the negotiations between the person in charge of CyberOptics Corporation and a staff member of the SchoolBoysGang ransomware group from the very beginning, the chat started with a message sent by the negotiator of the American multinational
11 Oct – 09:04:00
Hello, how do we decrypt data?
After about an hour there was the first response from the gang
11 Oct – 09:54:15
Hello. We will check your finance and get back to your with our demand shortly. Be in touch plz.
In addition to the ransom price, the cybercriminals’ subsequent response indicates the “quality” of the exfiltrated data in their possession
11 Oct – 10:03:22
So, we have reviewed your finance and calculated the price for you. Therefore, decryption tool, permanent data deletion with deletion log as well as our recommendations on how you can improve and strengthen your system will cost you $1,900,000.
We have uploaded all sources (NextGen, Flex, WaferSense) and other Intellectual Property. Currently we have full sharepoint dump, all User Folders, all important data from NAS’s, plenty of NDA’s and much much more other. Will provide you with a full listing of taken data soon.
the next day the CyberOptics negotiator sends this message
12 Oct – 06:00:56
how you do full sharepoint dump its totally imposible
after about two hours of waiting the answer arrives
12 Oct – 07:51:15
* https://www.sendspace.com/file/[redacted]
Pass for archive: X*lo7[redacted]
We meant the most valuable information from the sharepoint, not full dump – it doesn’t make sense.
* Note: the file archive named “list” is no longer available for download. SuspectFile has a copy of the archive containing 2,802,397 lines of data
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 2
12 Oct – 07:51:17
You have one day to review the listing and get back to us with a decision.
12 Oct – 07:57:13
You can choose 2-4 files from the list and we will provide them as a proof. We will be able to decrypt one of your files for free also.
The negotiator takes his time and responds after a day
14 Oct – 15:53:38
We are in process of verifying the list. It’s very large.
We will be in touch with the files that we would like you to produce.
after a few days of silence the cybercriminals start to get impatient and give the negotiator the first ultimatum
17 Oct – 07:42:19
Hi! What stage are you currently at? We’d like to proceed further.
18 Oct – 08:36:21
Got you. We will start notifying your employees first.
18 Oct – 08:39:40
If you continue to be silent, it will not end well for you. Keep the dialogue otherwise we might think that you don’t want to cooperate and we will start looking for a buyer of your data, and the decryption keys will be deleted which will make the decryption process impossible forever. Think well about the consequences, we don’t want to cause you any trouble, but we really need the money and we will do anything for it, don’t even doubt.
The same day CyberOptics responds
18 Oct – 12:01:33
Sorry for the delay. These are the files we are requesting to provide as proof.
c:\cyberoptics\unzip\[redacted]\06 Project[redacted].xls
c:\cyberoptics\unzip\[redacted]\R&D[redacted].pdf
c:\cyberoptics\unzip\[redacted]\8001566_BUILD_[redacted].pdf
c:\cyberoptics\unzip\[redacted]\release_notes.htm
c:\cyberoptics\unzip\[redacted]\Grab_[redacted].pdf
The following day, the cybercriminals upload the 5 files requested by the victim to sendspace.com and set the day by which CyberOptics must give answers regarding the payment of the ransom
proof
19 Oct – 04:21:36
Your deadline is Friday, we need a specific answer about payment. I also remind you that you can drop 1 file for a test decryption.
On October 21 the gang writes
21 Oct – 02:51:16So today is Friday. Day x for our deal. We like you, so you can drop even 5 files of different extensions to make sure our decryptor works, use sendspace.com. Also a reminder that after payment we will help improve your cybersecurity, and we will give some sources to your admin to keep an eye on, so your company will never get into an incident like this again. [redacted] If not paid, some of your data will be leaked on the cybercrime forum, also we may have a closed auction in our plans.
Two days later, the negotiator uploads an archive (files.zip) of 4 files encrypted by the gang during the attack on CyberOptics IT systems to sendspace.com and makes a further request to the cybercriminals
Marco A. De Felice aka amvinfe 01/09/2023 BreachForumsCyberOpticsLaser Design Inc.NordsonPerceptron Inc.RansomwareSchoolBoysGang
Share via:
More
Not only problems due to a cyber attack and the theft of almost 650 GB of data which took place between the end of August and the first days of last September. CyberOptics Corporation (CyberOptics), a Minneapolis, Minnesota-based multinational company that develops and manufactures high-precision 3D optical sensing technology solutions, may face lawsuits in the coming months related to Nordson Corporation’s (Nordson) acquisition of its corporate capital.
Some law firms, Weiss Law – Halper Sadeh, LLC – Brodsky & Smith, LLC – Monteverde & Associates PC, are investigating possible violations related to fiduciary duty and other violations of US federal and state laws. The investigations carried out by the law firms will serve to establish whether the price paid for each share ($ 54.00 in cash) should be considered satisfactory for CyberOptics shareholders.
Between the end of August and the beginning of September 2022, according to research carried out by SuspectFile, CyberOptics Corporation is hit by a cyber attack. A new ransomware group, SchoolBoysGang, manages to enter the IT systems of the American multinational after managing to exploit a server-side vulnerability thanks also to the poor protection of the network systems. This is one of many responses a gang member gave us via email
We used a popular vulnerability on their server at that time, their cybersecurity was at zero and we were very surprised by this.
SuspectFile was able to follow the negotiations between the person in charge of CyberOptics Corporation and a staff member of the SchoolBoysGang ransomware group from the very beginning, the chat started with a message sent by the negotiator of the American multinational
11 Oct – 09:04:00
Hello, how do we decrypt data?
After about an hour there was the first response from the gang
11 Oct – 09:54:15
Hello. We will check your finance and get back to your with our demand shortly. Be in touch plz.
In addition to the ransom price, the cybercriminals’ subsequent response indicates the “quality” of the exfiltrated data in their possession
11 Oct – 10:03:22
So, we have reviewed your finance and calculated the price for you. Therefore, decryption tool, permanent data deletion with deletion log as well as our recommendations on how you can improve and strengthen your system will cost you $1,900,000.
We have uploaded all sources (NextGen, Flex, WaferSense) and other Intellectual Property. Currently we have full sharepoint dump, all User Folders, all important data from NAS’s, plenty of NDA’s and much much more other. Will provide you with a full listing of taken data soon.
the next day the CyberOptics negotiator sends this message
12 Oct – 06:00:56
how you do full sharepoint dump its totally imposible
after about two hours of waiting the answer arrives
12 Oct – 07:51:15
* https://www.sendspace.com/file/[redacted]
Pass for archive: X*lo7[redacted]
We meant the most valuable information from the sharepoint, not full dump – it doesn’t make sense.
* Note: the file archive named “list” is no longer available for download. SuspectFile has a copy of the archive containing 2,802,397 lines of data
Minneapolis, MN: CyberOptics Corporation hit by SchoolBoysGang ransomware group, exfiltrate 650GB of data 2
12 Oct – 07:51:17
You have one day to review the listing and get back to us with a decision.
12 Oct – 07:57:13
You can choose 2-4 files from the list and we will provide them as a proof. We will be able to decrypt one of your files for free also.
The negotiator takes his time and responds after a day
14 Oct – 15:53:38
We are in process of verifying the list. It’s very large.
We will be in touch with the files that we would like you to produce.
after a few days of silence the cybercriminals start to get impatient and give the negotiator the first ultimatum
17 Oct – 07:42:19
Hi! What stage are you currently at? We’d like to proceed further.
18 Oct – 08:36:21
Got you. We will start notifying your employees first.
18 Oct – 08:39:40
If you continue to be silent, it will not end well for you. Keep the dialogue otherwise we might think that you don’t want to cooperate and we will start looking for a buyer of your data, and the decryption keys will be deleted which will make the decryption process impossible forever. Think well about the consequences, we don’t want to cause you any trouble, but we really need the money and we will do anything for it, don’t even doubt.
The same day CyberOptics responds
18 Oct – 12:01:33
Sorry for the delay. These are the files we are requesting to provide as proof.
c:\cyberoptics\unzip\[redacted]\06 Project[redacted].xls
c:\cyberoptics\unzip\[redacted]\R&D[redacted].pdf
c:\cyberoptics\unzip\[redacted]\8001566_BUILD_[redacted].pdf
c:\cyberoptics\unzip\[redacted]\release_notes.htm
c:\cyberoptics\unzip\[redacted]\Grab_[redacted].pdf
The following day, the cybercriminals upload the 5 files requested by the victim to sendspace.com and set the day by which CyberOptics must give answers regarding the payment of the ransom
proof
19 Oct – 04:21:36
Your deadline is Friday, we need a specific answer about payment. I also remind you that you can drop 1 file for a test decryption.
On October 21 the gang writes
21 Oct – 02:51:16So today is Friday. Day x for our deal. We like you, so you can drop even 5 files of different extensions to make sure our decryptor works, use sendspace.com. Also a reminder that after payment we will help improve your cybersecurity, and we will give some sources to your admin to keep an eye on, so your company will never get into an incident like this again. [redacted] If not paid, some of your data will be leaked on the cybercrime forum, also we may have a closed auction in our plans.
Two days later, the negotiator uploads an archive (files.zip) of 4 files encrypted by the gang during the attack on CyberOptics IT systems to sendspace.com and makes a further request to the cybercriminals
