On-demand moving and delivery platform, Dolly.com, is grappling with the aftermath of a ransomware attack that has exposed sensitive customer data. The Cybernews research team suggests that Dolly.com fell prey to cybercriminals who, despite the company’s alleged partial payment of the ransom, reneged on their agreement and proceeded to publish the stolen data.
The attackers, utilizing a Russian-language forum commonly frequented by ransomware operators and data traders, detailed the breach and its aftermath. Dolly.com, operating in 45 US cities, connects users requiring moving assistance with “Dolly helpers” for their services.
The cybercriminals reportedly breached Dolly.com’s systems in late August or early September. An email exchange dated September 7th revealed that the company opted to pay the ransom in exchange for the deletion of stolen information. The compromised data includes high-level account login details, credit card information, customer addresses, names, registration dates, user emails, and system data.
According to the cybercriminals, Dolly.com’s payment was deemed insufficient, leading them to disregard their agreement. Instead of returning the payment, the attackers published the stolen data on a criminal forum, sharing a conversation with the company.
The compromised information encompasses at least the last four numbers and the type of credit cards, with claims of access to the entire credit card data. The criminal forum post also disclosed entry points for MongoDB instances on Amazon Web Services (AWS) cloud, along with admin credentials for internal Dolly.com systems. Additionally, 95 AWS S3 bucket names, including backups, were exposed in the post, considered sensitive data.
Dolly.com paid the ransom to prevent the attack from going public, but the cybercriminals considered the sum inadequate. In response, they publicized the hack, announced a data auction, and provided sample files and downloadable archive dumps. Although the downloadable files were removed after being accessible for at least a week, the incident underscores the untrustworthiness of ransomware operators.
