Getty Images/iStockphoto

Marcus & Millichap hit with possible BlackMatter ransomware

The real estate firm confirmed in a SEC filing this week that it had suffered a recent cyber attack but claimed there was no 'material disruption' to its business.

Marcus & Millichap, a publicly traded real estate investment firm, suffered a recent cyber attack that may have been the work of the BlackMatter ransomware gang, according to a malware sample found on Hatching Triage.

The firm revealed in an 8-K filing with the SEC Monday that it "had been subject to a cybersecurity attack on its information technology systems." Marcus & Millichap claimed that the firm had seen no evidence of a data breach, and it did not identify the attack as a ransomware incident.

"[Marcus & Millichap] immediately engaged cybersecurity experts to secure and restore all essential systems and was able to do so with no material disruption to its business," the filing read. "The Company's investigation of the attack is ongoing; however, at this time there is no evidence of any material risk or misuse relating to personal information."

However, a BlackMatter ransomware sample on Hatching Triage, discovered by Valéry Marchive of TechTarget sister site LeMagIT, showed a ransom note that suggested a connection between the sample and Marcus & Millichap.

Though the ransomware gang's note does not directly name Marcus & Millichap, it does reference systems connected to the domain "mmreibc.prv," which is nearly identical to a domain that the firm owns:

A Malwarebytes forum post from 2010 includes an inquiry from a user alongside a list of files that includes both the mmreibc.prv domain and two direct references to Marcus & Millichap. A Microsoft community post from last year also includes direct references to both the firm and mmreibc.prv.

"If you are not going to contact us in the next 3 days, we will prepare your data for the publications. Your personal company info will be leaked and will be in the news. This will lead to a fall of your stock," the note reads.

The BlackMatter ransomware note also claimed that 500 GB had been stolen.

The status of any potential ransomware negotiations between the victim and BlackMatter is unknown, as the ransom negotiation chat portal is closed.

In the 8-K filing, the company wrote, "[Marcus & Millichap] carries cyber insurance, which it expects will cover the majority of costs related to this incident."

SearchSecurity contacted Marcus & Millichap for comment on whether the incident was a BlackMatter ransomware attack, and if the company paid a ransom to the threat actors. A spokesperson sent the following statement:

"Marcus & Millichap's 8-K filing stands on its own and best provides the context of what occurred and how we responded to a cyberattack. In keeping with our tradition of placing the highest priority on corporate systems, client service and agent and originator support, we immediately deployed all necessary resources to respond to the incident. As mentioned in the filing, we were able to restore all essential systems and at present there is no interruption to our business."

The BlackMatter ransomware gang first appeared in July. At the time, threat intelligence vendor Flashpoint had said that the threat actor had similarities with ransomware heavyweights REvil and DarkSide, and that they were looking for large-scale victims.

LeMagIT editor-in-chief Valéry Marchive contributed to this article.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing