fbpx

https://www.freightwaves.com/news/ransomware-target-apex-capital-declares-systems-back-up-and-running

Company and subsidiary TCS Fuel, which provide factoring, fuel services, victims of BlackByte ransomware gang attack.

A week after Apex Capital Corp. and its subsidiary, TCS Fuel, were targeted in a ransomware attack that knocked its computer systems offline, a company executive said Monday that it’s business as usual.

“Our networks for Apex and TCS are back up and running,” Sherry Leigh, chief product and marketing officer at Apex, told FreightWaves. 

Ransomware gang BlackByte claimed responsibility for infecting the operating systems of Apex Capital, headquartered in Fort Worth, Texas, which, in turn, shut down TCS Fuel’s network.

Leigh declined to comment about what data may have been stolen by the hackers who accessed Apex’s system.

On Saturday, Apex announced its client site, AMP, and mobile app were available with “limited functionality.” The company added that the TCS client site and its mobile app were also available for trucking companies needing to purchase fuel. 

After initially blaming the malware attack on an “unplanned system outage,” Chris Bozek, president of Apex Capital Corp., confirmed the company had been “infected by malware” two days later. 

Apex Capital and TCS Fuel specialize in providing financial services for small and medium-size trucking companies.

Since opening its doors nearly 27 years ago under co-founders David Baker and Dean Tetirick, Apex has grown into one of the largest factoring companies in the U.S.

What happened?

Some small-business truckers who utilize Apex Capital to factor their accounts receivable or fuel trucks using discount cards through TCS told FreightWaves they were alarmed Monday morning when they were unable to log on to the companies’ systems, fuel trucks or access funds to pay owner-operators.

In February, the FBI and the U.S. Secret Service released a joint cybersecurity advisory about BlackByte. The report described the gang as “a ransomware-as-a-service group that encrypts files on compromised Windows host systems, including physical and virtual servers.”

Brett Callow, threat analyst at Emsisoft, said BlackByte is using evolving methods to target its victims.

“You’ll see they’ve got some new tactics,” Callow told FreightWaves. “Victims can pay to extend the time until the [confidential] data is published, to have the data deleted (supposedly), while anyone can pay to download it.”

According to BlackByte’s ransomware demand, which was posted on Twitter, anyone could pay $5,000 to extend the company’s data release for 24 hours, $300,000 to destroy all the information and $200,000 to download all of Apex’s data. 

A rival factoring company posted on Twitter Thursday that although it was unable to afford the $200,000 to access Apex’s data, the startup’s owner provided his email address in case the hackers wanted to share the data for free. The tweet was later deleted.

“The price [to download the data] could be set intentionally low,” Callow said. “The hackers may hope that the victims will believe the low price will result in one or more third parties buying it should they not pay the demand to have the data [supposedly] taken off the market. The third parties in question could be other cybercriminals or perhaps even competitors [of Apex].”

Callow said it’s unclear where BlackByte’s operation is based but added that it’s possible there’s some overlap with another ransomware operation: Conti.

“Also, the fact the developers may be based in a particular country or countries doesn’t mean that it’s where the attack came from,” he said. “The groups effectively ‘rent’ their ransomware to affiliates who use it in their attacks — and the affiliates can be based anywhere.”