A cybersecurity attack against a major accounts payable software provider popular with banks led to hackers leaking passwords, bank account numbers and nondisclosure agreements last week.
The company, AvidXchange, is used by more than 1,700 banks and credit unions, according to
According to cybersecurity experts, cyber gangs are increasingly deploying attacks like this one, which work like ransomware but skip the encryption step. While such attacks can leave a company's systems intact to continue operating as normal, they still expose sensitive data.
Despite the name, Ransomhouse's cyberattack against AvidXchange was not a ransomware attack by most definitions. Ransomhouse stole AvidXchange data — about 450 gigabytes, the group says — held the data hostage and demanded a ransom, but it apparently did not encrypt AvidXchange's files or otherwise interrupt the company's operations.
Ransomhouse published roughly 9 megabytes of the data it stole and threatened to publish the rest if the company did not contact the group, presumably to negotiate a ransom payment.
"Dear AvidXchange, we strongly recommend you to contact us to prevent your confidential data, documents from being leaked," Ransomhouse said on its dark web blog (also known as an
AvidXchange quietly published
AvidXchange learned about this incident in "early April," according to the company's statement. Without naming Ransomhouse, the company said a threat actor had infiltrated "some" of its systems but did not specify which ones or how many. AvidXchange said it would directly contact customers whose data had been compromised.
"Our solutions are operational and we are processing customer invoices and payments," AvidXchange said. "However, our efforts to respond to the incident and enhance our security may result in temporary disruptions to certain features or products."
The data Ransomhouse has published so far from the AvidXchange leak reveals a few damning details about AvidXchange's security practices. For example, a list of more than 3,000 passwords that appears to have been exported from an enterprise password manager indicates that, while AvidXchange used apparently random combinations of letters and numbers for many systems, it also used insecure passwords for some.
Examples of weak passwords AvidXchange used were "password" and "AvidXchange!".
Cybersecurity experts have warned that as cybersecurity threats evolve, criminal organizations like Ransomhouse will multiply — namely, threat actors who infiltrate systems just to exfiltrate data rather than encrypt it. Enterprise cybersecurity company Cyberint warned of exactly this kind of threat last year in a blog post.
"One of Cyberint's predictions about the ransomware landscape in 2022 is that ransomware groups will develop and make efforts, when possible, to request payment for stolen data only, and eliminate the encryption phase in their campaigns,"
To combat cybercriminals, banks and credit unions turn to white-hat hackers to uncover system vulnerabilities. But what motivates these computer whizzes can be surprising.
Ransomhouse shares other similarities with ransomware groups, including blaming cyberattack victims for cybersecurity incidents.
"We believe that the culprits are not the ones who found the vulnerability or carried out the hack, but those who did not take proper care of security," the group writes on its onion site.
Cyberint said of Ransomhouse that "the group's obvious drive is personal gain," and they appear to be "disgruntled bug bounty hunters," looking to be taken more seriously by the companies on which they do penetration testing.
