Telecom Argentina, one of that country’s largest Internet Service Providers (ISPs), has suffered a major ransomware attack, according to a local report. The cybercriminals behind the attack demanded US$7.5 million in Monero cryptocurrency to unlock the encrypted files, but the company claims that it has restored access to its systems and that it hasn't caved in to the extortionists’ demands.
The attack, which took place over the weekend, apparently didn’t have a sizeable impact on services provided by the company – the internet connection didn’t go down, nor were the landlines or any of its other services disrupted. However, there was some impact on systems that provide remote customer service.
The payload was delivered in an email attachment that was downloaded and opened by one of the employees. Ultimately, the attackers hijacked an internal Domain Admin and used it to spread the infestation to over 18,000 workstations. Having spotted the infiltration, the company sent out an internal communication to its customer service employees about the incident.
RELATED READING: Ransomware: To pay or not to pay?
The notice, which was later also shared by employees on various social media platforms, urged staff to minimize access, including through VPN, to the corporate network. The employees were also told not to open emails from unknown addresses and to turn off any compromised computers immediately.
According to ZDNet, the company was hit by Sodinokibi aka REvil ransomware, a threat also described in ESET's recent Threat Report. Besides demanding a payment for unlocking access to the files, the operators of the Sodinokibi ransomware are known to ramp up pressure on victims by threatening to dump their sensitive information online.
In recent years, the ransomware scourge has affected organizations of all sizes, including small businesses, healthcare providers and city governments. In 2018, the US city of Atlanta was struck by an especially costly ransomware attack.
An executive audience could benefit from perusing ESET’s white paper on how enterprises can mitigate the risks of ransomware attacks. In recent years, the Remote Desktop Protocol (RDP) has become an increasingly popular attack vector for ransomware-wielding gangs, who typically brute-force their way into a poorly-secured network, elevate their rights to admin level, disable or uninstall security solutions and then run ransomware to encrypt crucial company data.