RansomHub group says it was behind Christie's attack, threatens to release private data of half a million customers

A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
(Image credit: Getty Images)

The recent cyberattack at auction house Christie’s, which took the company’s website offline hours before a major event, appears to now be confirmed as a ransomware incident.

A hacking collective calling itself RansomHub has claimed responsibility for the attack, also saying it stole sensitive information about Christie’s customers.

The iconic auction house was forced to set up an entirely new website for live auctions after its main domain was brought down days before it was planning on auctioning roughly $840 million worth of art.

Born out of ALPHV

Now, RansomHub has posted a new thread on a dark web site, assuming responsibility for the attack, and claiming it grabbed customer names and birth dates. At this moment it is impossible to verify the authenticity of the claims, but with RansomHub’s history, it’s possible they are telling the truth.

RansomHub was born out of the disappearance of the ransomware-as-a-service known as ALPHV, or BlackCat. 

With a ransomware-as-a-service model, one group builds and maintains the malware while others, called affiliates, do the actual breaching and encrypting. When affiliates successfully extort money from a victim, they get a piece of it, while a piece goes to the developers. When an ALPHV affiliate breached Change Healthcare earlier this year, they allegedly successfully extorted the healthcare giant for $22 million. However, when it was time to split the prize, the developers took all of it and just disappeared, leaving the affiliate with roughly 4TB of stolen sensitive data.

This affiliate was later named RansomHub and it tried, on its own, to extort Change Healthcare again. 

In Christie's case, the group said it would release the timer by the end of May, since it couldn’t come to an agreement with the company.

Via The New York Times

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.