Ransomware Attack Paralyzes Danish Housing Association VIBO for a Week
Incident Date:
August 21, 2024
Overview
Title
Ransomware Attack Paralyzes Danish Housing Association VIBO for a Week
Victim
Boligforeningen VIBO
Attacker
Cloak
Location
First Reported
August 21, 2024
Ransomware Attack on Boligforeningen VIBO by Cloak
In July, Boligforeningen VIBO, a Danish housing association, fell victim to a ransomware attack orchestrated by the group Cloak. The attackers claimed to have stolen 140GB of data, which was subsequently leaked. The incident, initially reported on July 10, led to a week-long paralysis of VIBO's IT systems. However, by July 18, VIBO announced via their Facebook page that their operations had returned to normal. The attack has since been confirmed, and Boligforeningen VIBO has been listed on Cloak's data leak site, highlighting the severity of the breach.
About Boligforeningen VIBO
Boligforeningen VIBO is a prominent housing association in Denmark, primarily focused on providing affordable housing solutions. The organization manages approximately 6,000 social housing units, mainly located in Copenhagen and its surrounding areas. VIBO's mission centers on creating sustainable living environments that foster community and inclusivity among residents. The association operates under the principles of social housing, aiming to offer housing at lower rents compared to the private market. This is particularly important in urban areas where housing affordability is a significant concern.
Vulnerabilities and Targeting
VIBO's digital platform, "VIBO - Min Bolig," which allows residents to manage their housing-related documents, finances, and communications, could have been a potential entry point for the attackers. The reliance on digital systems for managing resident services and communications makes organizations like VIBO vulnerable to cyber threats. The small organizational structure, with around nine employees, may also contribute to limited cybersecurity resources, making it an attractive target for ransomware groups.
About Cloak Ransomware Group
Cloak ransomware is a relatively new group that emerged between late 2022 and early 2023. The origins and identities of the group behind Cloak ransomware are currently unknown. It appears to be a financially motivated criminal group rather than a state-sponsored actor. Cloak likely purchases initial access from Initial Access Brokers (IABs) on underground marketplaces and may leverage compromised employee credentials obtained through info-stealers like Lumma, Aurora, and Redline. The ransomware uses the infected machine's own resources to exfiltrate and encrypt data.
Attack Overview
The attack on Boligforeningen VIBO involved the exfiltration and encryption of 140GB of data. Cloak operates a data leak site where they sell and publish stolen data from victims, using double extortion tactics. Encrypted files are renamed with extensions like .crYptA, .crYptB, up to .crYptE. The attack led to a significant disruption of VIBO's IT systems, but the organization managed to restore operations within a week.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.