The Post and Courier hacked; Black Suit claims to have 500 GB of data.

The Post and Courier proudly declares itself the main daily newspaper in the South, with a heritage going back to The Courier, founded in 1803, and The Evening Post, founded in 1896. Over its history, The Post and Courier has covered many news stories. But today, they are the story because the Black Suit ransomware gang added the paper to its leak site on April 15. The information below is based on the leak site listing and additional details provided exclusively to DataBreaches.net.

The Attack and Scope

According to the listing, Black Suit breached The Post and Courier’s network “and stayed there for over 2 weeks.”

Black Suit’s spokesperson tells DataBreaches that their group accessed the paper’s system on March 14, gaining access “through unpatched weak spots discovered on one of the company servers.” The spokesperson was unsure whether they had ever been detected but stated that they were never kicked out.

The listing claims that Black Suit exfiltrated 500 GB of data. Although Black Suit initially emerged as a group using encryption, their spokesperson informs DataBreaches that they did not use encryption in this attack.

“The amount of leaked data was above our expectations,” the spokesperson told DataBreaches. Data they claimed to acquire came from The Post and Courier as well as related sites:

• Aiken SC News
• Evening Post Industries
• Evening Post Publishing
• Evening Post Books
• Courier Square LLC.
• Post and Courier Advertising

Black Suit claims to have exfiltrated internal files, subscriber data, and employee data. The information allegedly included employees’ Social Security Numbers, passports, driver’s licenses, and other documents. Subscriber data allegedly includes credit card payment information, postal and email addresses, and contact information.

Proof of Claims

Although there is no proof of claims in the leak site listing, chat logs provided to DataBreaches indicate that Black Suit did acquire data. Black Suit provided a partial tree to the negotiator, who was allowed to request a number of files. The chat logs indicate that the paper’s negotiator subsequently provided a list of requested files from the file tree and later acknowledged and confirmed that Black Suit had provided the requested files. DataBreaches’ skim of the file tree found file names and information that was consistent with Black Suit’s description of the data they exfiltrated.

Negotiations Begin

The day after Post and Courier was accessed, someone representing the paper showed up in chat to begin negotiations. They did not give their name or position.

Chat logs from the last week of March and first week of April reveal that Black Suit initially demanded $1,750,000 ransom. The paper was clear that they couldn’t pay that amount. At one point, the paper’s negotiator claimed their bank denied their application for a loan for the total amount. There was no proof in the chat logs that the paper did apply for a loan. DataBreaches did not attempt to verify their claim.

“It is good to see your aim to find the money, but it seems like you are looking for money in the wrong place,” Black Suit’s negotiator responded to the paper’s claim that the bank had turned down their loan application. “Why do you need that bank loan if you are a part of Evening Post Industries? Your parent company should help you to get out of this situation, because there is a lot of personal data leaked from your network and it would not be good for the Parent company and its investment/real estate business in case the leaked data went public, right?”

On April 6, the paper’s negotiator requested a discount  “as a sign of good faith.” “We don’t want to involve anyone else and would like to keep this as in house as possible. If you lowered your price it would go a long way for us being able to pay it,” the negotiator wrote.

After further discussion, Black Suit agreed to give them a 50% discount, but only if they paid in 48 hours.

Even that amount was still too high. The paper’s negotiator replied, “This is a step in the right direction but we still cant accept, especially within 48 hours. We’re currently discussing our options internally and we’ll advise on what those may be.”

When Black Suit reiterated it would contact the parent company, the paper’s negotiator responded, “The information you have is dated and they’re no longer our parent company. Also, we can’t make a decision because what we want to offer is far less than the $875,000 you’re currently offering and we don’t want to upset you. In addition to that, you gave us 48 hours from yesterday and we thought we had time to figure out what that offer may be. If you begin reaching out to anyone about this incident while we’re trying to figure out a solution with you, we’ll stop responding to this email. Be patient and give us the 48 hours you gave us yesterday to try and figure this out.’

Negotiations End Without Even a Whimper

But that seems to be where negotiations ended without further exchanges or resolution—the 48 hours passed with no offer or further word from the paper.