Several French nationals have been arrested on suspicion of involvement with hacker group Rex Mundi.
Rex Mundi, which had been in operation since at least 2012, operated mainly by hacking into companies’ networks, stealing private information, and holding it ransom. In addition to demanding a fee for not leaking the details, on occasion they would also offer to reveal the vulnerability which allowed them entry to the systems, for an additional sum.
The group’s victims, many of which were Belgian companies, include AmeriCash Advance, Webassur, Drake International, Buy Way, Hoststar, Websolutions.it, Numericable, Habeas, AlfaNet, Domino’s Pizza, and Banque Cantonale de Geneve (BCGE).
While the group initially publicised its activities fairly heavily online, leaking data on public forums when companies refused to pay the ransom, increasing crackdowns on cybercrime by law enforcement appeared to discourage this behaviour, with the group taking a more discreet tack from around 2015 onward.
However, the group’s activities continued until 2017, when an attack targeting a British company allowed Europol to identify several members. According to Europol, a few days after the attack took place, a French-speaking individual who identified himself as a member of Rex Mundi contacted the company, shared credentials proving he had access to large amounts of customer data, and demanded a ransom.
The ransom, which was to be paid in Bitcoin, was set at approximately €580,000 ($670,000) for not leaking the data, or over €825,000 ($776,000) for information on the security breach and how to handle it. For each day’s delay in payment, the price would increase by €210,000 ($240,000).
The victim company reported the attack to the Metropolitan Police, following which the French National Police and Europol were informed and a joint operation commenced. According to Europol, the French police were able to use the available information to identify a French national involved. This led to the arrest in June 2017 of five people thought to have been involved in the operation.
Though the primary suspect admitted his role in attempting to extort the company, he claimed that he had not carried out the attack himself but had used the dark web to hire a hacker. This led to the further arrest of two hackers by the French police in October, and the final accomplice (another French national) was arrested by the Royal Thai Police on May 18 this year.
While this seems to have put an end to Rex Mundi, the popularity of holding stolen information to ransom is only growing, particularly with the rise of ransomware making it even easier to demand payment – and demonstrating many companies’ willingness to pay up, sometimes even repeatedly.
As the reputational and financial costs of customer data breaches increase, companies may (despite the increased regulation around breach disclosures) be even more inclined to pay the cost of the ransom and keep the breach quiet, rather than risk fines and bad press. While crackdowns mean groups operating in this way will likely keep their activities low-key, this is the end of just one of them, not all – the King is dead, long live the King.