Telecom Argentina, the largest telecommunications company in the country, was hit by a ransomware attack involving the Sodinokibi ransomware group. The attack disrupted internal systems of the telecom company. The ransomware gang are demanding $7.5 million in Monero (XMR) crypto exchanges, but the amount would double if the company fails to pay within 48 hours. This is the second encryption attack against an internet service provider after the same ransomware gang attacked Sri Lanka Telecom. It is also likely to be the most expensive ransom demand by a ransomware operator this year. The Argentinian telecoms giant has not indicated whether it would pay the ransom.
The ransomware attack timeline
The ransomware attack occurred on July 18, according to El Tribuno. Employees started having problems accessing databases and internal VPNs.
The company’s call center was the main target of the ransomware attack, leading to the suspension of customer care services. The company said the ransomware attack did not affect its landline, mobile, or internet services.
However, a report emerged claiming the ransomware attack caused extensive damage on the internet service providers’ network, affecting more than 18,000 workstations. The report also implicated the REvil ransomware gang, also known as Sodinokibi. The group acknowledged that they were responsible for the ransomware attack by sharing a screenshot of the website on social media.
The company detected the ransomware attack immediately it occurred and warned its employees to avoid connecting to the corporate network. Additionally, Telecom Argentina told employees to avoid using VPNs or open emails containing attachments from unknown email addresses. The notice also advised employees to turn off any of the infected computers to prevent the spread of the virus.
REvil indicators of compromise
It remains unclear how the ransomware operators gained access to the company’s network. However, initial investigations suggested the hackers gained access through a malicious email to one of the company’s employees. Speculations also say that the attackers hijacked a domain admin account and used it to spread the infection across the network. Another point of entry could be exploits on the company’s Citrix server infrastructure.
Mark Bagley, VP for Product at AttackIQ, says implementing network segmentation and having a program to prevent lateral spread of the virus could stop the attack in advance.
“This is likely to be one of the more expensive ransomware attacks this year. A security program that included network segmentation, preventing the lateral movement of an adversary would have been decisive in mitigating this situation.”
He added that tradition countermeasures cannot succeed in stopping modern threats.
“Legacy approaches that focus on stopping an adversary at their initial attempts to access targets of interest will continue to fail. Companies must design their security programs to minimize the impact when an adversary successfully infiltrates their network.”
REvil ransomware gang specializes in exploiting unpatched network systems to infiltrate corporate systems and spread laterally. Telecom Argentina ran Citrix VPN servers as well as Citrix instances with CVE-2019-19781 vulnerability, according to information provided to ZDNet by security firm Bad Packets.
REvil ransomware threatens to publish data belonging to companies who refuse to pay. However, the ransomware gang has not listed Telecom Argentina’s data on its leakage website. The ransomware gang earlier claimed it had damaging information against Donald Trump after hacking Grubman Shire Meiselas & Sack law firm.
Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, pointed out that the higher ransom demand was indicative of elevated levels of compromise.
“The unusually high amount of the demanded ransom may indicate that the attackers got full access to the Crown Jewels of the allegedly breached ISP. The US Secret Service has already raised an alert earlier this year saying that MSP and organizations like ISP are now increasingly targeted by cybercriminals. Given the amount of confidential clients’ data they handle or critical business services they supply, these victims are highly susceptible to swiftly pay ransom to prevent damage and make sure the incident stays low-profile.”