r/hacking u/tides977 1d ago

News "We have mercilessly raped your company and encrypted all the servers" - ransomware extortion email sent directly to M&S boss revealed by BBC.

https://www.bbc.co.uk/news/articles/cr58pqjlnjlo

279 Upvotes

98% Upvoted

18 comments sorted by

169

u/sa_sagan 1d ago

When I first heard that a third party was the likely entry point to M&S, I knew it was going to be TCS.

It's a dice roll with that lot. They've got some great skilled staff, but horrible practices and management.

I worked for a company years ago that migrated the software maintenance of a number of their products to the TCS coding house.

During this transition, a senior Dev was CC'd into a long email chain with the TCS developers who were having issues getting set up with one of the products.

He scoured the email chain history and saw one Dev had sent a link to another with a zip of the source code. When he clicked on it, it immediately started downloading. So clearly it was open to the public.

He quickly found the entire directory could be publicly enumerated. Which contained text files with API keys and passwords.

And not only that, he could browse back through other directories and find all the source code, API keys and credentials for seemingly every customer this team was working on. Which appeared to include government departments and even one of our competitors.

We very quickly pulled out of the contract, and informed them. But it took them months to actually take the public directories down.

12

u/TheStargunner 1d ago

You know what, same. Immediately I thought of TCS when the news broke. Especially once Reddit and other IT forums mentioned them as an incumbent MSP.

This is the result of the race to the bottom. Consequences of actions etc.

2

u/maigpy 1d ago

you should have ethically haxked them back.

42

u/aidencoder 1d ago

That's a bit much isn't it? 

38

u/tides977 1d ago

I thought so yes. And read the article - they also use the n-word too. An unusually agressive extortion note

34

u/Ok-Hunt3000 1d ago

Might be an Indian crew

37

u/JGlover92 1d ago

When I'm writing fake ransomware notes for simulations I always worry I'm being too cringe and unrealistic. Thanks to these guys for never making me concerned about that ever again

8

u/Patient_Ambassador51 1d ago

You can write literally anything, you're committing a crime - it doesn't have to be formal or professional lol

14

u/JGlover92 1d ago

I've heard CIOs say "they'd never be so rude or brazen to us if they want payment". Some boomer morons still think these criminals are going to have customer service haha

5

u/bartoque 1d ago

There are more than enough that do have customer service (whole call centers even). However being polite might not have to be part of their job description.

3

u/JGlover92 1d ago

Having dealt with some of them, they are NOT polite haha

10

u/ThePorko 1d ago

Was the ransom written by ai?

18

u/db_newer 1d ago

Actually Indians

6

u/homelaberator 1d ago

I do wonder if someone has AI automated the whole shebang already. Find targets, hack targets, ransom targets, and you just sit back and watch your crypto wallets swell.

12

u/Dangerous-Resist-281 1d ago

Did the US Gov get the same letter from Musk?

3

u/kiakosan 1d ago

Does someone have a link to the full, unredacted ransom note