Argentina's largest phone company hacked, hackers demand $7.5 million in Monero ransom

If China Mobile or China Telecom were hacked one day, it would be a modern version of the end of the world...

Would your first reaction be that there is no network and no signal, which means you are basically isolated from the world?

On July 19, 2020, Beijing time, a group of users began posting messages on Twitter, speculating that Argentina's largest telephone company had been hacked by ransomware. Soon after, cryptocurrency analyst Alex Krüger tweeted to prove that this was true.

To sum it up in one sentence: Telecom Argentina (or you can think of it as Argentina's "mobile") was hacked and ransomed. If the full $7.5 million in Monero is not paid within two days, the ransom will be doubled.

Background

Sociedad Licenciatario Norte SA, also known as "Telecom SA", is the largest telephone service company in Argentina.

In this incident, the ransomware targeted Windows hardware such as OneDrive and Office365 on the staff's computers, while users' landlines, mobile phones and Internet services were not affected.

Before the ransomware attack was confirmed, some employees found that the company's VPN was inaccessible and its Siebel system, which was used to access Personal, Arnet, Telecom and Fibertel databases, was not functioning properly.

Based on this situation, there was speculation that the hacker attack at the time might have been transmitted to an employee as an attachment via email. The Telecom technical team immediately advised the operator to disconnect from the server and not to open any such files or emails.

According to the hackers, all the attacked files have been locked with code by the attackers, and Telecom must pay a ransom of up to US$7.5 million in Monero. If the hackers do not receive the ransom within 48 hours, the ransom will double to US$15 million .

Screenshot source: Twitter

Ransomware incident analysis

After the ransomware incident, some analysts said that the attack came from REvil ransomware.

REvil ransomware, also known as Sodinokibi. In the first half of this year, there were nearly ten ransomware incidents caused by REvil alone. It threatened to expose the legal affairs information of dozens of global music and movie stars (including Lady Gaga, Elton John, Robert DeNiro and Madonna), and even issued a statement that if the ransom amount was not met, they would expose Trump's scandal. The organization has become the focus of cybersecurity for carrying out similar ransomware attacks.

The exchange Travelex also revealed that it paid nearly $2.3 million in Bitcoin to hackers after it was attacked by REvil ransomware on January 11, 2020.

So far, nearly 18,000 computers of Telecom have been hacked. Although there is no evidence that the Telecom ransomware incident was caused by REvil , people still focus on REvil software.

Screenshot source: Twitter

The screenshot is from a Telecom official message sent to its employees, with some suggestions and requirements that its employees must follow in order to overcome this ransomware attack.

Ironically, the attackers even included a link to a website where one can buy Monero to pay the ransom.

The CEO of a security company speculated that the hackers may have another motive, that is, they may already have Monero and hope that this attack will increase the price so that they can sell it at a better price. Because the ransom of 7.5 million US dollars in Monero is a bit unreasonable, wouldn’t it be better to just ask for other currencies? It is precisely because 7.5 million US dollars of Monero accounts for 13% of the daily trading volume, so this move is very likely to have a significant impact on the price of Monero.

Safety Tips

In recent years, the most harmful cybersecurity threats have ranged from ransomware and crypto mining, which have the most attacks, to phishing attacks, which have the most damage. Ransomware is very effective, whether it is phishing attacks targeting employees or forcible extortion using insecure RDP (Remote Desktop Protocol).

According to preliminary estimates, the hacker attack affected the daily operations of at least 18,000 teams. Although the number is huge, large enterprises can still support it. However, small and medium-sized enterprises are different. They are less qualified in terms of security budget and skills, and are more likely to become the main targets of ransomware. And once the ransom is paid, it is likely to drag down the entire enterprise.

The CertiK security team believes that employees' lack of security habits (including reusing and sharing passwords, clicking on links or attachments in unknown emails, and using pirated computer applications) will cause great security risks. Therefore, individuals and corporate organizations need to take reasonable security measures and provide employees with relevant security training to improve network resilience and security protection capabilities. When the company cannot meet these security conditions, it should promptly contact a third-party security team for detailed security customization services and security system establishment. (CertiK Chinese)