On Sept. 25, 2023, an obscure cybercriminal group called RansomedVC made the startling claim that it had “successfully compromised all of Sony Systems.” The world sat up at what appeared to be yet another ransomware raid on a famous brand name. However, this one was a bit different from the usual playbook everyone is used to. According to the attackers:
“We wont ransom them! we will sell the data. due to Sony not wanting to pay.”
Strange Mirror World
So, not strictly a ransomware attack at all because there was not going to be a formal ransom demand. This was more like data theft—a claimed 260GB—for a price reported to be $2.5 million. Bizarrely, the group’s message even threatened to report its hack to the “EU’s GDPR agency,” whatever the attackers meant by that.
This is all assuming, of course, that the attack happened at all, an uncertainty that hasn’t stopped someone setting up a Wikipedia page titled “2023 Sony ransomware hack” as if it had.
Welcome to the strange mirror world where things happen, or perhaps don’t happen, or perhaps happen but are being exaggerated. Sony’s response on the matter was to send a holding statement to news outlets, including Bleeping Computer:
“We are currently investigating the situation, and we have no further comment at this time.”
The fact that Sony hasn’t denied the possibility of an attack could be interpreted as an inadvertent admission, although It’s just as likely that Sony doesn’t yet know and is trying to avoid saying something misleading.
Ransomware Attack or Data Extortion?
More notable is the unusual MO of the attackers, commented on by security company Flashpoint at the time of the group’s appearance in August.
The group’s tactics look more like data extortion than classic ransomware—buy the data or we’ll sell it to someone else. But what’s the difference? Arguably, because it suggests that paying the “ransom” is a competitive bid rather than a payment. It’s a subtle difference and perhaps a meaningless one as everyone knows that even when a ransom is paid, data will invariably still be sold.
Or perhaps it points to the future evolution of all ransomware. In a world where data can be stolen but organizations refuse to pay ransoms (or are stopped from paying them by regulation), this could be a path forward for attackers—create a more open extortion supermarket for stolen data.
These possibilities underline how much cybercrime has evolved since Sony was last afflicted with cybersecurity troubles. First in 2011, when an attack on the PlayStation Network (PSN) led to the breach of 77 million accounts, then a later attack in 2014, when the company’s Sony Pictures subsidiary was brought to a standstill by a large data leak later attributed to North Korea.
Even though huge hacks like this seem less likely today, the mood around cybersecurity has darkened. Before it was just about well-resourced groups attacking big companies. Now, even tiny startups such as RansomedVC can plausibly get their hands on enough data to cause trouble, targeting anyone and everyone at will.