Qualys hit with ransomware: Customer invoices leaked on extortionists' Tor blog

Qualys hit with ransomware: Customer invoices leaked on extortionists' Tor blog

Infosec outfit Qualys, its cloud-based vuln detection tech, and its SSL server test webpage, have seemingly fallen victim to a ransomware attack.


Files appearing to originate from Qualys were dumped online this afternoon on the Tor blog of the Clop criminal extortionists.

While Qualys declined to comment immediately, a spokeswoman said the company was aware of the incident and investigating.


While we’re not reproducing those files here because doing so merely fuels the extortionists’ purpose, they appeared to include purchase orders, results of scans of customer appliances and quotations. The nature of the files suggests they were stolen from the admin side of the Qualys business rather than its infosec side.

Ransomware gang specialist Brett Callow, of infosec biz Emsisoft, told The Register: “Entities that have had dealings with Qualys should be on high alert.”


The incident will be hugely embarrassing for Qualys. At the time of writing the precise attack vector was unknown, though Clop has spent the past few months focused on extorting users of Accellion file transfer appliances. In 2016 Qualys itself published research (PDF) into vulns in Accellion devices, though that is no indicator of whether or not the appliances were in use by Qualys itself for their intended purpose.


Jake Moore, security specialist at ESET, opined: “Malicious actors have somewhat matured and now use full-blown extortion tactics to make sure they get what they came for. Going further than simply encrypting data seems so ‘old hat’ now when exfiltrating and selling the data seems that much more lucrative.”


Recent victims of Clop’s Accellion-focused extortion spree qualys ransomware customer invoices leaked extortionists