Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish the data it had stolen earlier this week.
However, despite the claims, a Deloitte spokesperson told Infosecurity that its investigation indicates that the allegations relate to a single client’s system which sits outside of the Deloitte network.
“No Deloitte systems have been impacted,” the spokesperson said.
Brain Cipher, a ransomware group that first emerged earlier in 2024, said it has stolen 1TB of compressed data in a post published on 4 December.
The group gave the firm 10 days, until December 15, to respond to the threat.
In its statement, the ransomware group said, “giant companies do not always do their jobs well.”
The post also said it would unveil how “the ‘elementary points’ of information security are not observed” by Deloitte.
According to SentinelOne, Brain Cipher engages in multi-pronged extortion, hosting a TOR-based data leak site. The threat actor’s payloads are based on LockBit 3.0.
In June 2024, Brain Cipher claimed responsibility for hacking into Indonesia’s Temporary National Data Center (PDNS) and disrupting the country’s services.
The ransomware gang initially demanded a ransom of $8m from PDNS but later published the decryptor for free.
Why Attackers Fake Ransomware Claims
While Deloitte has distanced itself from the attack, this does not mean that an organization at the center of a ransomware claim remains unaffected.
“Not affecting the target organization’s systems doesn’t mean there’s no impact,” Javvad Malik, lead security awareness advocate at KnowBe4, told Infosecurity. “The mere suggestion of a breach can harm reputations, affect stock prices, or trigger costly and unnecessary responses. Thus, even an empty threat carries the same weight as shouting ‘fire’ in a crowded theatre.”
Deloitte is a privately held company and only partners can own equity in the company.
On why such groups may fabricate claims, Rafe Pilling, director of threat intelligence, Secureworks Counter Threat Unit, said there are many reasons cybercriminals do this.
“Both Criminal, and state-sponsored threat actors, have been known to obtain data – perhaps from customers or suppliers of a well-known brand – then advertise it as a compromise of that bigger brand, rather than the sharing the real source of the data,” he said.
“It gives them a higher profile and makes them look more of a threat. This tactic may be particularly appealing to smaller cybercrime groups looking to establish a name for themselves in a competitive criminal landscape.”
Malik concurred, adding: “It can be to boost the reputation of the criminal gang, trying to gain notoriety, instill fear, and perhaps even lure victims into ill-advised actions, like paying for decryption keys they don’t need.”
Image credit: Casimiro PT / Shutterstock.com