A major Argentinian ISP has become the latest organization to be hit by a serious ransomware attack, with cyber-criminals demanding millions in payment by today.
Telecom Argentina is thought to have been compromised last week. One insider posted the purported ransom note to Twitter, as well as what appears to be an online placeholder from the firm.
The firm’s official website is currently down and local reports suggested that employees started having trouble accessing internal VPNs and databases as early as last Wednesday.
As most employees are working from home, the incident appears to be causing major disruption to productivity at the firm with staff being told not to log-on to corporate resources.
Reports on social media suggest the REvil (Sodinokibi) group may be behind the attack. If the firm has not paid by the end of today, the attackers are threatening to double the ransom, to be paid in Monero.
The group is known to have targeted vulnerabilities in Citrix and Pulse Secure remote access systems in the past, although it’s not clear at this stage how they compromised Telecom Argentina.
REvil also often steals data belonging to victim organizations, with the now-common strategy of threatening to release sensitive details unless a ransom is paid. It even claimed to have obtained incriminating details on Donald Trump earlier this year after an attack on New York lawyers Grubman Shire Meiselas & Sack.
However, that doesn’t seem to be the case with Telecom Argentina.
Founded in 1990, the Buenos Aires-headquartered firm has over 16,000 employees and owns one of only three mobile phone operators in the country.
Mark Bagley, VP of product at AttackIQ, argued that this could be one of the most expensive ransomware attacks of the year.
To mitigate the risk of such attacks, organizations must focus on detecting lateral movement inside networks, combat credential stuffing and conduct regular testing, he added.
“A security program that included network segmentation, preventing the lateral movement of an adversary would have been decisive in mitigating this situation,” Bagley argued.
“Legacy approaches that focus on stopping an adversary at their initial attempts to access targets of interest will continue to fail. Companies must design their security programs to minimize the impact when an adversary successfully infiltrates their network.”