Kumar Hemant reports:
Let’s Secure Insurance Brokers Pvt Ltd., a prominent Indian insurance brokerage firm, has reportedly fallen victim to ransomware. The perpetrators, identified as the Kill Security (alias KillSec) group, claim to have gained unauthorised access to the company’s data, sparking concerns over potential data breaches.
India has increasingly become a focal point for cyberattacks, with industries ranging from finance to healthcare targeted by sophisticated hacking groups. Let’s Secure Insurance Brokers Pvt Ltd is the latest high-profile name to join the growing list of Indian organisations compromised by ransomware gangs.
Read more at Candid Technology, where the headline is “Indian insurance company Let’s Secure suffers ransomware attack.”
Unlikely to be a Ransomware Attack
It’s a shame that the insurer never read our previous reporting on KillSec. As this site always says, there’s no need to hack when it’s leaking.
KillSec finds exposed databases, downloads data, and then demands payment from the victim to delete the data. If the world thinks that KillSec is accomplished hackers, that’s probably just fine with KillSec, but there’s nothing in these attacks that requires anything other than using a search engine or search service that lists exposed databases.
Nor is there evidence that KillSec is encrypting files of its victims. It’s more of a simple extortion model that capitalizes on databases entities misconfigured.
From Leak to Breach
Like too many others, Let’s Secure Insurance had an unsecured Amazon storage bucket. It was first noted as unsecured on an indexing service on November 22, 2024. KillSec seems to have noted it, too, and then tried to ransom the data.
The bucket is still unsecured even after KillSec listed them on KillSec’s dark web site yesterday.
Every victim listed on KillSec’s dark website since November had an unsecured cloud storage bucket or blob (usually bucket) that KillSec appears to have found via a service that lists exposed servers. When examined by the researcher known as JayeLTee and another researcher who wishes to remain anonymous, the data KillSec leaks has been the same data that researchers found in the exposed buckets.
Sadly, most of the victims’ buckets are still unsecured.
If You Are Contacted by KillSec
- Check (or have your IT service check) your Amazon AWS s3 buckets to determine which is misconfigured, and lock it down. You’ll likely find it’s an Amazon AWS s3 bucket. Only occasionally have we seen an Azure blob be the source.
- Be sure to lock the bucket down properly so that even if someone has the file list or file links, they cannot directly connect to the files.
- Do not pay KillSec. That only encourages more of this type of thing, and besides, if they have your data, how many other unauthorized individuals have your data? Your data are already out there and paying criminals won’t fix that. Hopefully, you have access logs to figure out how many unauthorized IP addresses accessed data back to the time when it was first exposed and you can figure out who needs to be notified.