The alleged Sony data breach just got messier. On Monday, relatively new hacking group Ransomed.vc made the lofty claim that it had successfully compromised "all" of the company's systems, as reported by Cybersecurity Connect. Now a second threat actor has leaked the data believed to be in Ransomed.vc's possession, claiming the former are "scammers" trying to "chase influence." How either group obtained this data, or the extent of the breach, remain unknown but Sony has confirmed to Engadget it's investigating the situation.
Ransomed.vc said it wouldn't ransom Sony, and instead would be selling the data "due to Sony not wanting to pay." It posted a sampling of files as "proof" of their claims. Ransomed.vc gave a deadline of September 28. On Tuesday, a threat actor under the name "MajorNelson," claimed that Ransomed.vc lied about the breach, and leaked the data that Ransomed.vc claimed to have, according to malware repository vx-underground. Engadget could not independently verify the claims.
"We are currently investigating the situation," a Sony spokesperson told Engadget.
Ransomed.vc emerged as attackers and a ransomware-as-a-service organization that lets others pay to launch attacks. The group threatens victims with data protection fines under laws like the GDPR if they do not pay the ransom. In other words, pay us a few hundred thousand dollar ransom, or we'll report you to pay up a million dollar fine. MajorNelson appears to be an independent threat actor motivated by a disdain for Ransomed.vc, calling the reports about their efforts lies.
"RansomedVCs are scammers who are just trying to scam you and chase influence," MajorNelson wrote. "Enjoy the leak." According to MajorNelson, the leak includes credentials for internal systems, incident response policies and more.
In 2011, a threat actor exposed personally identifiable information from 77 million PlayStation network accounts. Sony took the network offline for 23 days as it mitigated the damage, and in 2019, it agreed to pay a £250K fine in the UK for its failure to adequately prepare for the attack.