Conti Ransomware Gang Strikes ‘Jeweler to the Stars’

November 1, 2021 | 3 minute read

What do Oprah Winfrey, Donald Trump, and David Beckham have in common? Apparently, they are all clients of Graff—known as the “Jeweler to the Stars” because of its clientele of Hollywood A-listers and affluent who’s who in the world. Now they have something else in common—their personal details were leaked on the Dark Web by the Conti ransomware gang following an attack on Graff. 

According to a report from the Daily Mail, the cybercriminals leaked 69,000 confidential documents as a preliminary show of force, so to speak. The threat actors are demanding a ransom of tens of millions of dollars to decrypt the Graff systems and prevent further sensitive information from being released. 

The Conti ransomware group claims to have exfiltrated sensitive data on about 11,000 Graff clients. The documents Conti has include client lists, receipts, invoices, and credit notes. They said that the 69,000 files leaked so far represent about 1% of the data they have in their possession. 

Cybereason recommends not paying ransoms as it doesn't pay-to-pay unless it is a matter of life and death or national emergency. In fact, a recent Cybereason ransomware study of more than 1,200 global organizations shows that 80 percent of organizations that paid a ransom were hit a second time, often by the same attackers. That said, the clients of Graff have tremendous financial resources and a vested interest in ensuring their private information is not made public. 

Conti Ransomware 

The Conti ransomware group has caused a great deal of damage in a relatively short period of time—making headlines around the world. It didn’t come from nowhere, though. Ransomware gangs constantly shift and evolve and rebrand over time, and Conti is identified as a successor to Ryuk ransomware. 

Prior to actually deploying the ransomware payload, the Conti attackers attempt to infiltrate the network and move laterally throughout the organization. The group is not satisfied just causing damage to the initial infected machines. They spread via SMB and encrypt remote machines as well. It is not just a malware exploit—but rather a complex ransomware operation—or RansomOp

The Conti gang has released multiple new versions of the ransomware, improving and expanding the capabilities in each version. The Cybereason Nocturnus Team assesses the threat level of the Conti gang as High given the destructive potential of attacks. 

Graff Ransomware Attack

It could be many weeks before we really know the overall impact of the attack on Graff. One thing is true, though--organizations with deep pockets are more likely to pay a ransom than others, and the high-profile nature of the Graff clientele may make them more likely than most to pay the ransom demand. 

It is a little surprising that Conti claims that 69,000 is 1% of what they stole. That implies they exfiltrated less than 7 million files—which is a very small number, relatively speaking. An average machine has tens of thousands of files, so it seems like they may have only compromised a couple hundred systems unless their math is wrong or the targets for data exfiltration are very targeted. 

Regardless, though, it’s a big deal for the 11,000 clients involved. The information the Conti gang stole could prove to be embarrassing. A celebrity raising thousands for a cause might face backlash if it revealed they also spent millions on jewelry. It could also be embarrassing to learn that someone famous bought expensive jewelry for someone other than their spouse. 

There are three primary risks for Graff and its clients from this attack. 

    • Privacy and the security of people should that information wind up in the hands of professional criminals who might literally attack their homes to get said jewelry or worse
    • Personal brand damage
    • Potential spear-phishing attacks

The threat actors understand these risks, and they are aware of the consequences for Graff and Graff clients if this data is leaked. When they target organizations for theft, they will be persistent, patient and thorough in their attack. Cybereason has been tracking Conti since 2020 and they have conducted hundreds of ruthless attacks on organizations around the world from hospitals, law enforcement agencies and critical infrastructure operators. 

Let this newest ransomware attack be a reminder that organizations need to invest now in ratcheting up prevention and detection and improve their resilience. We can meet fire with fire. We can ensure faster detections based on behavioral analytics and end the attack before sensitive data can be exfiltrated and before the ransomware payload can be delivered. 

We can—in short—make material breaches a thing of the past. So, what if they get a toe hold on the ramparts, we can keep them out of the castle by planning and being smart ahead of time and setting up proactive defenses.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team