US-Canada water org confirms 'cybersecurity incident' after ransomware crew threatens leak

The International Joint Commission, a body that manages water rights along the US-Canada border, has confirmed its IT security was targeted, after a ransomware gang claimed it stole 80GB of data from the organization.

"The International Joint Commission has experienced a cybersecurity incident, and we are working with relevant organizations to investigate and resolve the situation," a spokesperson for the org told The Register.

The spokesperson declined to answer specific questions about what happened, or confirm the miscreants' data theft claims.

IJC is a cross-border water commission tasked with approving projects that affect water levels of the hundreds of lakes and rivers along the US-Canada border. It also resolves disputes over waters shared between the two countries. 

On September 7, the NoEscape ransomware crew listed IJC as a victim on its dark-web site, and claimed it breached the commission's network, and then stole and encrypted a flood of confidential data. This info, according to the crooks, included contracts and legal documents, personal details belonging to employees and members, financial and insurance information, geological files, and "much other confidential and sensitive information."

The cyber-crime gang has given the IJC ten days to respond to its ransom demand, or it may make the swiped info public. 

"If management continues to remain silent and does not take the step to negotiate with us, all data will be published," the NoEscape leak notice threatened. "We have more than 50,000 confidential files, and if they become public, a new wave of problems will be colossal. For now, we will not disclose this data or operate with it, but if you continue to lie further, you know what awaits you."

• Caesars says cyber-crooks stole customer data as MGM casino outage drags on
• Save the Children hit by ransomware, 7TB stolen
• Airbus suffers data leak turbulence to cybercrooks' delight
• Ransomware attack hits Sri Lanka government, causing data loss

The IJC spokesperson contacted by The Register declined to comment on the ransom demand or if the commission would pay.

Who is NoEscape?

NoEscape is a ransomware-as-a-service operation that appeared in May and takes a double-extortion approach. That means instead of simply infecting victims' machines with malware, encrypting their files and demanding a ransom to release the data, the crooks first steal the files before locking them up. They threaten to leak the information, as well as withhold the decryption keys, if the victims don't pay the ransom.

NoEscape operators do not target organizations based in the former Soviet Union. This is a similar MO to other ransomware groups, such as the now-defunct Conti and Black Basta, which also avoid infecting Russian companies and government agencies.

The gang is believed to be a rebrand of Avaddon – another ransomware crew that shut down and released its decryption keys in 2021, according to Bleeping Computer.

During its brief criminal tenure to date, NoEscape has extorted the University of Hawaii, which reportedly paid the ransom; Italian technical consultancy Kreacta; Lithuania's Republican Vilnius Psychiatric Hospital; and Taiwanese electronic connector manufacturing company Avertronics, among others. ®