Ransomware infects 18,000 computers of Telecom Argentina & demanded $7.5 million USD

Ransomware incidents continue to appear with astonishing frequency around the world. Specialists report that Telecom, Argentina’s largest Internet service provider, was the victim of an encryption malware infection; attackers apparently demand a ransom of $7.5 million USD to restore access to the compromised files.

Reporters close to the company claim that the criminals wreaked serious havoc on Telecom’s networks, finding a path through an internal domain administrator, from where the malware was spread to the rest of the company’s computer infrastructure. Some Telecom-owned domains have been offline since the last weekend, although company’s users have not been affected.

Some employees of the company revealed details about the social media attack. Investigators believe the incident was immediately detected by the firm’s IT team, notifying employees of malicious activity and issuing some security recommendations.   

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es telecom01.jpg

Regarding the perpetrators, the attack was attributed to the REvil hacking group (also known as Sodinokibi). Apparently, hackers have already revealed the incident on their dark web platform, where they have posted some of the compromised information. Hackers demand a ransom of 109345 units of cryptocurrency Monero, which equates to $7.5 million USD, one of the biggest hacking incidents recorded in South America.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es telecom02.jpg

So far, the company has not commented on the incident. However, the informants claim that the company attributes the entry of the infection to a malicious email received by one of its employees, although specialists point out that this attack does not conform to the mode of operation of REvil group.

Researchers and security firms who have analyzed the attacks perpetrated by this hacking group agree that REvil specializes in network-based infections, looking for machines without updates to spread across the affected networks.

Cybersecurity firm Bad Packets believes that hackers would have run Citrix VPN servers, in addition to an instance vulnerable to CVE-2019-19781 exploitation. Other researchers believe that two flaws in an antivirus product could also be related to the attack.  

This is also the second REvil band attack against an Internet service provider’s network. The REvil band also recently attacked Sri Lanka Telecom, the largest fixed telephony provider in the Asian country.