Telecom Argentina Hit with $7.5 Million Ransom – Expert Commentary

Over the weekend, the REvil (Sodinokibi) ransomware group targeted Telecom Argentina, one of the country’s largest internet service providers. The group is now demanding $7.5 million in ransom, and that sum will supposedly double after three days. The incident did not cause any damage to the ISP’s customers, but the company’s official websites have been down since Saturday and 18,000 computers have been infected after the hackers gained control of an internal domain admin.

Subscribe
Notify of
guest

4 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Dean Ferrando
Dean Ferrando , Systems Engineer Manager – EMEA
InfoSec Expert
July 22, 2020 9:24 am

The overwhelming tendency is to focus on the ransomware itself in these types of cases, but ransomware doesn’t magically appear on a system. Organizations that are concerned about ransomware should assess how well they’ve deployed basic controls like vulnerability management, secure configurations, and email protections. The first line of defense against ransomware is to prevent it from getting inside in the first place.

Ransomware makes headlines, in part, because it’s always detected. It has to be, in order to get the ransom paid. Keep in mind that if self-announcing ransomware can get in, so can much more stealthy attackers.

Last edited 2 years ago by Dean Ferrando
Tarik Saleh
Tarik Saleh , Senior Security Engineer and Malware Researcher
InfoSec Expert
July 22, 2020 9:20 am

The majority of spam emails, and clearly the one on which a Telecom employee, unfortunately, click on, have the goal of getting the victim to infect their own computer with malware. “Soft targeted” email is often the vessel for malicious attachments—for instance, an email may be sent to an HR employee with a .pdf of a job seeker’s resume. In actuality, the resume is an attachment that contains embedded ransomware or malware. In these instances, the infection that this phish brought can now spread from PC to other networked devices—including the cloud. It is purported that 88 percent of phishing emails contain ransomware attachments, according to Proofpoint’s “2020 State of the Phish Report.”

The good news is that cybersecurity awareness training across all departments can significantly reduce the likelihood of an employee clicking on the wrong link or opening the wrong attachment. The bad news is that the risk will never be reduced to zero and that cybercriminals many use many other creative techniques to make their way into the network and deploy ransomware from there. This further goes to show how much security should be a holistic effort.

Last edited 2 years ago by Tarik Saleh
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
InfoSec Expert
July 21, 2020 3:26 pm

The unusually high amount of the demanded ransom may indicate that the attackers got full access to the Crown Jewels of the allegedly breached ISP. The US Secret Service has already raised an alert earlier this year saying that MSP and organizations like ISP are now increasingly targeted by cybercriminals. Given the amount of confidential clients’ data they handle, or critical business services they supply, these victims are highly susceptible to swiftly pay ransom to prevent damage and make sure the incident stays low-profile.

Highly competitive market drives aggressive cost-cutting and a fight for survival among the technology companies, which eventually start reducing their cybersecurity expenses to the detriment of their clients whose data they are to protect. Pandemics spurs the risks by working from home environment, mushrooming shadow IT, and exhausted cybersecurity personnel. Therefore, we should expect a further growth of sophisticated attacks against technology companies and ISP in a bloodthirsty hunt for the customers

Last edited 2 years ago by Ilia Kolochenko
Mark Bagley
Mark Bagley , VP of Product
InfoSec Expert
July 21, 2020 1:17 pm

This is likely to be one of the more expensive ransomware attacks this year. A security program that included network segmentation, preventing the lateral movement of an adversary would have been decisive in mitigating this situation. Legacy approaches that focus on stopping an adversary at their initial attempts to access targets of interest will continue to fail. Companies must design their security programs to minimize the impact when an adversary successfully infiltrates their network.

This control of lateral movement is imperative to preventing many other adversary behaviors. Preventing an adversary from using credentials harvested from one system elsewhere in the network – a technique called \”credential stuffing\” when automated – is one crucial way organizations can reduce the damage of an attack. Given the increases in sophistication and automation that have been observed in recent attacks, it’s not enough to address cyber threats as they happen. A proactive cybersecurity approach is vital and should include continuous testing of security posture to identify exposures and improve defenses before adversaries apply exploits to them.

Last edited 2 years ago by Mark Bagley
Information Security Buzz
4
0
Would love your thoughts, please comment.x
()
x