An Argentine telecommunication services provider, Telecom Argentina, reportedly fell prey to a ransomware attack on July 18, 2020. The effects of the attack were first noticed when the Telecom’s employees started facing issues and lag in their systems while accessing the company’s VPN (virtual private network). The internal security systems instantly set-off the alarms but not before the ransomware was installed in over 18,000 workstations. According to reports and screenshots shared over Twitter, the ransomware gang demanded a ransom worth $7.5 million in Monero (XMR) cryptocurrency.
— Alex Krüger (@krugermacro) July 19, 2020
The Ransomware Attack as it Happened…
- The attack was initiated in the early hours of July 18, 2020.
- It affected more than 18,000 internal systems of Telecom Argentina.
- The ransomware was reportedly targeted at the company’s customer relationship management (CRM) software Siebel, which contains client data.
- Telecom’s internal systems and software including Office365, OneDrive, corporate VPN, Citrix, Genesys, the Customer and Field Service virtual machines were also affected.
- Its users’ internet or telecommunication services were not affected.
- Reports suggest that ReVIL, better known as Sodinokibi ransomware operators were behind this attack.
- The operators demanded 109345.35 Monero coins (worth approximately US$7.53 million) as ransom in exchange for the decryption key.
Although there is no official statement given by Telecom Argentina about the source of compromise, the researchers indicate that it could have been caused by a careless employee who opened a malicious email file that triggered the entire event. However, Sodinokibi ransomware operators are popularly known to exploit network and code vulnerabilities like remote code execution for targeting their victims. Thus, if this holds true then the gang may also have acquired a phishing technique under its armory for infiltration.
Telecom Argentina also confirmed that none of its dependent services were affected and have asked its employees to look out for malicious email attachments and suspicious activities on its networks as remedial measures.