Cybersecurity Artist agency Goodwin victim of ransomware

Cyberhackers have attacked the servers of the prestigious Goodwin Agency, which represents dozens of artists and animators, including Michel Tremblay, Paul Arcand, Anne Dorval, Denys Arcand, Chrystine Brouillet and Michel Charette.

Posted on Oct 12, 2021Hugo Joncas La Presse

Hackers from the Russian-speaking group Conti specialize in ransomware attacks. They usually steal the targeted data before damaging it by encrypting it. The victim then has to pay a sum of money if they want to get them back and prevent them from ending up online.

Goodwin claims to have restored the situation, but the agency does not know what information the hackers were able to access, and whether they indeed exfiltrated it.

“We received a message threatening to leak data,” explains Nathalie Goodwin, one of the agency’s associates. They fetched information from our servers. »

An employee noticed that something was wrong on the morning of October 8 when she wanted to consult the schedules of comedians on the site. The page displayed in Chinese.

The team then contacted their IT consultant, who realized that the password to access the servers had been changed. He understood that the agency was the victim of a computer attack and disconnected the systems.

This quick action allowed Goodwin to limit the damage.

Cybersecurity The Goodwin Artist Agency victim of ransomware

“There was still this threat hanging over a certain amount of corporate data that they were going to publish if we didn’t contact them, which we haven’t done yet,” explains Nathalie Goodwin.

The Montreal police cybercrime team contacted the agency to make sure they were aware of the attack, which they were.

"All our customers and employees have been duly notified, as they should be, and informed of the measures to be taken personally", assures Nathalie Goodwin.

According to the agency's verifications, the hackers used Microsoft's Outlook email software.

Data likely stolen

The cybercriminals who hit Goodwin likely already stole information from the targeted server, notes Brett Callow, cyber threat analyst for antivirus firm Emsisoft.

"Like many other gangs, Conti steals victim's data before deploying ransomware that encrypts the files," he says. If it does not pay, or not quickly enough, Conti publishes the stolen data on its site. »

According to a recent report from Cybersecurity & US Infrastructure Security Agency (CISA), the gang has become one of the most active in ransomware in recent months, with "more than 400 attacks" to its credit by the end of September.

It was Conti who was used to carry out the serious attack that paralyzed the Irish health system in May, as explained in this article from the daily Le Monde.

The CISA, like another report from the French Information Systems Security Agency, classifies Conti in the category “ransomware-as-a-service”: ransomware for rent. The program is thus offered for other gangs who use it to extort their own targets.

In Quebec, Conti was used to attack the Hurons of Wendake and the distributor of electrical equipment Guillevin International in 2020, then the MRC Antoine-Labelle, in the Laurentians, in August.

Information for sale

Four days after the Goodwin attack, on October 12, the agency found itself on the site of the "cartel", as Conti calls himself.

Just at the top of the page, the gang issues a warning to its “customers” (read “victims”) who do not contact them after an attack. "If you're a customer who declined the offer and you can't find your data on the cartel site or can't find sensitive files, that doesn't mean we forgot about you, it just means that the data was sold and then we removed it from free access! », Indicates its site in English.

For now, in the page dedicated to Goodwin, the gang only displays professional contact details of employees and basic information about the agency.

Nathalie Goodwin says she "wouldn't want to fall into the trap of paying a ransom". "I don't think it's a good thing to do that. »

The American authorities agree with him and "strongly advise against" giving in. "Paying a ransom risks emboldening hackers" and "does not guarantee that the victim's files will be recovered," the CISA report said.

Right next to the Goodwin text, Conti's site mentions other recent victims and offers stolen data for free download.

This is the case, for example, of one of the very last victims of the gang, JVCKenwood. Conti began posting dozens of files stolen from the Japanese electronics company in September.