Ma Labs Ransomware Attack Shakes Up Components Industry

‘They‘ve done a poor job communicating with us what’s going on. They basically said that they’re having email issues, and we haven’t received an invoice for the past couple weeks,’ a Ma Labs system builder customer tells CRN.

A reported REvil ransomware attack earlier this month against Ma Labs has left its mark on customers and competitors of the components distributor.

The operators of REvil ransomware claim to have gotten a hold of 949 gigabytes of confidential information from the central servers of Ma Labs in five days, according to threat intelligence firm Cyble, citing a message posted earlier this month to REvil’s leak site. REvil said the attack affected more than 1,000 Ma Labs servers, and claims the distributor didn’t tell the public about the attack.

As a result of the ransomware attack, confidential Ma Labs data from developers’ computers as well as thousands of documents with details of employees, clients and partners are at risk of being leaked online, according to REvil. REvil threatened to start an auction of leaked Ma Labs data in 48 hours from the time of its initial message.

[Related: The 11 Biggest Ransomware Attacks Of 2020 (So Far)]

The REvil operators also shared a few screenshots of Ma Labs data they have gotten their hands on through the ransomware attack, Cyble reported. This included email, bank-related files, and certificates for issued shares of stock, according to Cyble. Ma Labs didn’t respond to repeated requests for comment.

“Their systems are compromised and are being analyzed. Such a large company – but a small IT responsibility,” REvil wrote on a message to its leak site. “It’s not pretty.”

An executive at a system builder company that buys components from Ma Labs learned about the ransomware from a CRN reporter Friday. Up until then, he said, he had been wondering what was happening with the distributor after his accounting team stopped receiving emails from Ma Labs employees a week ago.

“They‘ve done a poor job communicating with us what’s going on. They basically said that they’re having email issues, and we haven’t received an invoice for the past couple weeks,” said the executive, who asked to not be identified because of his business relationship with Ma Labs. ”My accounting team, they were like, ’Hey, where’s the invoices so that we can pay? We know we receive purchase orders, so we owe you money, what’s going on?’ And they’re just not replying.”

Before Ma Labs employees stopped responding to his accounting team, they were using personal Gmail accounts to ask for payment, according to the executive, which was a major red flag.

“We‘re getting sporadic emails from them. But they said, ’Well, we’re having email server issues,’ And that was it,” he said. ”So I didn’t know they were breached. They should have been a little bit clearer with us on communication.”

The executive said he‘s not concerned about his company’s financial information being exposed in the data breach because Ma Labs does not have his company’s bank information for direct transfers.

“The best they‘ll get is the pricing that I get on components. I’m not really too worried about that,” he said.

The executive said his company only buys motherboards, memory modules and hard drives from Ma Labs but not things like Intel processors because Ma Labs is not an authorized Intel distributor and therefore doesn‘t track Intel purchases for the vendor’s partner program.

“We‘re on the same team. I just wish they were just a little bit more transparent with what’s happening with the current situation, so we can work with them. We’ll help them. We’ll figure out a way to at least pay our bills,” he said.

Meanwhile, the ransomware attack has created a windfall for competitors of Ma Labs. One top distribution executive, who did not want to be identified, said his company has seen an uptick in component sales from systems makers and solution providers.

“Business is going to other distributors because they have been dealing with the ransomware,” said the executive. “It’s a big challenge for the vendors and customers that were relying on them for components. Their backups were compromised, and they can’t access any of their data. This is a big deal for a lot of our partners. We are seeing an increase in calls from those customers.”

The Ma Labs breach is a signal for all MSPs and solution providers to beware of ransomware breaches, the distribution executive said.

An executive at another competing IT distributor said a major data breach for a distributor could include a variety of financial information, including bank account and credit card numbers, tax identification numbers, social security numbers and potentially driver‘s licenses.

“There‘s certainly a lot of banking information there and could be other information if you have property or you had other things that you might have to be referencing as a source of why you should be getting certain lines of credit,” said the distribution executive, who asked to not be identified.

The data breach could also reveal Ma Labs‘ sources for certain components, which could have negative consequences because Ma Labs is not an authorized distributor for at least some of the components it sells and is considered a grey market seller or broker as a result.

“If you‘re a broker, you’re sourcing products probably from somebody who’s maybe not supposed to be selling those products in a way that they are. That person may not want that information showing up,” he said.

For example, a hard drive manufacturer could be selling deeply discounted hard drives to Ma Labs that are supposed to be sold as part of a system, the distribution executive said.

“If that OEM is taking those hard drives and selling them standalone out to alternate channels, say to Ma Labs as an example, that OEM supplier probably is not going to want that information out, because that then impacts their relationship with the manufacturer,” he said.

San Jose, Calif.-based Ma Labs was founded in 1983, employs more than 1,200 people and does roughly $2 billion in sales each year, according to Cyble and the Maze actor. The company has been the largest distributor of Samsung SSDs every year since 2011, and has received accolades such as Seagate distributor of the year for 2018 and 2019 and Outstanding Contribution Partner Award from gaming system maker MSI in 2019.

REvil, also known as Sodinokibi, was behind the massive May 2020 hack of entertainment and media law firm Grubman Shire Meiselas & Sacks, which allegedly resulted in the theft of 756 gigabytes of private documents and correspondence. REvil claimed to have private info on Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera and Mariah Carey as a result of the attack.

With Contributions From Executive Editor, News Steven Burke