Ransomware: This is behind the hacker attack on Comparis.ch

The Swiss Internet comparison service comments on a ransomware attack. The attackers belong to a little-known, aggressive gang.

Image: Shutterstock

“Pay or suffer” – that’s behind the hacking attack on Comparis.ch

Internet criminals have infiltrated the Swiss comparison service, stolen and encrypted data. The same group is responsible for Germany’s first “cyber disaster”.

Daniel Schurter
Daniel Schurter


“Unfortunately we have to reckon with everything at the moment.”

What do the eastern German district of Anhalt-Bitterfeld and the Swiss Internet comparison service Comparis have in common? Both have fallen victim to a relatively new gang of internet blackmailers. Her name: “Grief” (in German sorrow, sorrow). The unknown criminals penetrated the IT systems of the organizations concerned unnoticed, spied on them and struck. That is, they stole files and encrypted the originals.

Those responsible in East Germany felt compelled to declare the first “cyber disaster”. And the Comparis services were not available for a long time.

However, it did not stop at encrypting the data, as watson research shows. Stolen company documents are now available on a darknet website (more on this below).

watson asked Comparis.

Comparis takes a position

How does Comparis react to the publication of the stolen data on a darknet website?

To do this, writes Andrea Auer, Co-Lead Research & Media Relations:

«The data you mentioned is internal company data. Customer-relevant data are not affected. We have already reacted in advance by transparently informing all of our users about possible theft of data. We cannot say for sure what data the hackers actually have. This is the subject of further clarifications and cooperation with the investigative authorities. “

Is it to be feared that there will be further publications? What can Comparis say about the extent of the data theft?

«Unfortunately we have to reckon with everything at the moment. Based on the recommendations of the canton police and cybersecurity experts, we cannot give any detailed answers on the extent of the theft. “

Why was it communicated relatively late that customer data was affected?

“We informed the public promptly after the attack and one day later we published an update with the latest findings on the case, including a reference to possible access to customer-relevant data by the hackers.

The latest findings have required complex and lengthy analyzes. We have also agreed with the Zurich canton police on how to proceed. As soon as we were able to do so, we informed them. We very much apologize for the inconvenience caused by the attack. “

The Zurich canton police write of an “organized cyber attack” that was “carried out with a high level of criminal energy”. What findings are now available on the attack method? How did the criminals break into the company network?

“For security reasons, we cannot provide any information on this.”

Last night, Comparis users were asked by email to urgently change their passwords. Were the passwords saved in plain text on the Comparis server?

«Passwords are stored in encrypted form. This is purely a precautionary measure and a common recommendation in such cases. “

* The questions were answered by email.

Who are the attackers?

A relatively new group called “Grief”. The unknown criminals first appeared this spring with ransomware attacks on companies.

According to a report by the IT security company Tetra Defense, the Internet blackmailers are acting very aggressively in order to intimidate their victims and get them to pay.

“Now we are defining the rules of the game, fuck about discounts, fuck about negotiations, fuck about wasting time … Pay or suffer. This is our statement »

Earlier statement by internet blackmailers

At the end of May, this group claimed that it was “the new generation” of ransomware actors who refused to accept discounts or lengthy negotiations.

The Tetra Defense report states that if the ransom demand is not met, the group will start releasing data 6 to 7 days after the victim’s IT system is first encrypted. This resulted from an analysis of the information available so far.

The encryption attack on the Comparis network took place on July 7th. On July 8, the company announced through a spokesman that it had not and will not pay a ransom.

Another five days later, the Internet blackmailers published a blog post about Comparis on their darknet website, which can only be accessed in encrypted form via the Tor browser. There is also a link to an allegedly 87 megabyte (MB) file in ZIP format.

According to the time indicated on the Darknet website, the publication took place on July 12, 2021.

According to the time indicated on the Darknet website, the publication took place on July 12, 2021.

screenshot: watson

The Comparis services were available again as normal a few days after the attack. The administration of the district in Saxony-Anhalt was hit worse. The East Germans have to largely suspend their services to the citizens for two weeks. This after Grief attacked on July 6th. A file provided by Internet blackmailers on the Darknet contains over 200 MB of data.


The hottest pools you can find on the internet right now

1 / 25

The hottest pools you can find on the internet right now

When Google reads out Swiss memes …

You might also be interested in:

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.