Cyber Incident Victim: Finalyse
Date:
Dec 2020
Location:
Belgium
Summary
A Belgian financial consultancy successfully thwarted a ransomware attack by the Avaddon group, restoring operations from backups without paying a ransom. Attackers claimed exfiltration of 98 GB of data, primarily consisting of publicly available Excel files containing market data and pricing information, which the firm assessed as non-confidential and posing no risk to clients or partners. The organization notified customers of the incident, maintaining that no sensitive information was compromised. Despite threat actors threatening to release the data within days, the absence of additional leverage beyond the advertised dataset weakened their position, as the targeted company expressed no concern over the exposed materials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2020, Belgian financial consultancy firm Finalyse experienced a ransomware attack perpetrated by the Avaddon threat group. The attackers claimed to have exfiltrated 98 GB of data from Finalyse's systems and posted a directory screenshot as proof to pressure the company into negotiations. Finalyse successfully aborted the ransomware encryption process before it could disrupt operations, preventing system lockdown. The company restored affected systems using backups, avoiding any operational downtime or paid ransom demands. Avaddon threatened to release the stolen data within three days if their demands weren't met, attempting to leverage the situation through data disclosure threats.
Finalyse conducted forensic analysis confirming the attackers had copied Excel files containing pricing information and market data. The company determined the compromised information consisted primarily of publicly available records, with no evidence suggesting theft of confidential client or partner data. Finalyse proactively notified customers via email about the breach starting on December 24, 2020, while emphasizing the low-risk nature of the exposed information. The directory screenshot intended by Avaddon to demonstrate serious compromise instead provided Finalyse with visibility into the attack's limited scope. With functional backups eliminating encryption leverage and exfiltrated data containing no sensitive material, Avaddon possessed no effective bargaining position to extort payment from the company.