One of Argentina’s largest internet service providers, Telecom Argentina, has suffered a major ransomware attack involving around 18,000 computers. The attack started on Saturday July 18 with the attackers taking control of the internal domain admin, which allowed them to spread the ransomware across the entire network.
According to sources at the company, the attack was detected rapidly and steps were taken to limit the spread of the ransomware. Employees were warned not to connect to the internal VPN network and not to open emails containing archive files. The attack was contained, but the damage caused was extensive. Employees have been prevented from accessing databases and internal VPNs as a result of the attack, and with many employees working from home due to COVID-19, productivity will have taken a major hit.
Critical services were unaffected and customers did not lose access to the internet or telecom services, but the company’s websites were taken out of action. ZDNet has reported that the attack was conducted by the REvil gang, using REvil/Sodinokibi ransomware. REvil claimed responsibility for the attack on Twitter, although the Tweet has since been deleted. The Tweet linked to the REvil web portal on the dark web and shows a ransom of 109345.35 Monero – around $7.5 million – was demanded for the keys to unlock the encrypted files. That ransom demand must be paid within 3 days or the demand will double to $15 million. The deadline for paying is July 21, 2020. It is unclear whether the ISP will pay the ransom.
It is currently unclear how the gang gained access to Telecom Argentina’s network. Some reports suggest the attack started with a malicious email attachment that was opened by an employee, although that attack method is not typically used by manual ransomware gangs such as REvil. The REvil gang has used a variety of methods in its attacks in the past, but one of the most commonly used methods of attack is the exploitation of vulnerabilities in Pulse Secure and Citrix VPNs. According to ZDNet, Bad Packets confirmed that Telecom Argentina uses Citrix VPN servers and that at least one did not have the patch applied for the vulnerability CVE-2019-19781, which has been exploited by the REvil gang in several past ransomware attacks.
The REvil gang is known for stealing data prior to the encryption of files and threatens to publish or sell the data if the ransom is not paid. It is unclear what data has been stolen from Telecom Argentina and whether that data will be published. There is currently no mention of the attack on the darknet site used by the REvil gang to leak stolen data.