cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Crown Resorts files allegedly accessed by ransomware group

Crown Resorts has announced that it has been contacted by a ransomware group claiming to have accessed some of its files.

user icon Daniel Croft
Tue, 28 Mar 2023
Crown Resorts files allegedly accessed by ransomware group
expand image

The company, which is the largest casino operator in the country, said it was contacted by the ransomware group following the data breach of GoAnywhere, a third-party file transfer and cloud provider that Crown Resorts uses.

“We were recently contacted by a ransomware group who claim they have illegally obtained a limited number of Crown files. We are investigating the validity of this claim as a matter of priority,” said a Crown Resorts spokesperson.

“We can confirm no customer data has been compromised and our business operations have not been impacted.


“We are continuing to work with law enforcement and have notified our gaming regulators as part of the ongoing investigation and will provide relevant updates, as necessary.”

Crown Resorts is just one of many companies that have been affected by the GoAnywhere breach, including Australian multinational mining group Rio Tinto and the parent company of Johnson & Johnson and Nestle, Procter & Gamble.

According to the threat group allegedly behind the breach, Clop ransomware, 130 companies have had their data stolen over a 10-day period, with the initial breach occurring on 30 January.

Fortra released a statement days later, on 2 February, saying it was notifying customers and taking steps to prevent further access.

“On January 30, 2023, we were made aware of suspicious activity within certain instances of our GoAnywhere MFTaaS solution,” said Fortra to tech publication Dark Reading.

“We immediately took multiple steps to address this, including implementing a temporary outage of this service to prevent any further unauthorised activity, and sharing mitigation guidance, which includes instructions to our on-prem customers about applying a developed patch.”

A patch was applied days later, at which time Clop ransomware claimed responsibility for the attack.

Fortra’s communication has been heavily criticised by cyber security experts, who have said that the company needed to communicate more openly and faster to assist security teams.

“To prevent further evolvement of a supply chain attack, it is crucial for the first victim in line to communicate openly and in detail about what happened,” said Dirk Schrader, vice-president of security research at Netwrix.

“It helps other links in this chain to be prepared for an upcoming threat and minimises possible damage. It is likely that the current attack was accelerated due to details about this zero-day not being disclosed in a timely manner.”

Similarly, Heath Renfrow, co-founder of Fenix24, said that news of the hack “wasn’t communicated well, challenging even the best security teams to respond”.

Cyber Security Connect has contacted Fortra for comment on the criticism of its communication.

While it is likely that the ransomware group that contacted Crown Resorts is the same Clop ransomware group, this has not been confirmed. Cyber Security Connect has reached out for confirmation.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.