Advantech, the chip manufacturer, has now confirmed that it received a ransom note from a Conti ransomware operation on Nov. 26 demanding 750 Bitcoin, which equals about $14 million, to decrypt compromised files & delete the data that they stole.
The ransomware group has leaked stolen data to add more pressure on the company to pay up.
To allow Advantech to know they were not ‘bluffing’, the scammers published a list of files from a stolen .zip archive on their leak site.
The ransom note claimed that the 3.03Gb of data posted on the leak site accounted for about ‘2%’ of the total amount of data lifted stolen from Advantech.
Advantech specialises in internet-of-things (IoT) intelligent systems, Industry 4.0, machine automation, embedded computing, embedded systems, transportation & more.
A statement provided to Bleeping Computer on behalf of Advantech admitted the attack & commented “the stolen data was confidential but only contained low-value documents.” The statement added that the company is recovering & “functioning normally,” & will not be commenting on whether the ransom was paid.
Ransomware Leak Sites
Professionalised ransomware groups including Conti, Ragnar Locker, Maze, Clop & others have been exploiting security holes created by the emergency shift to remote work due to the pandemic, coupled with well-publicised leak sites to wreak havoc & wring millions out of unsuspecting companies like Advantech.
Regarding Advantech, the longer it waits to decide, the more expensive the ransom then becomes.
“In Aug. 2020, the Conti ransomware group created a data leak website, called Conti.News, following the trend of other highly successful ransomware variants, such as Maze, Sodinokibi & NetWalker,” Digital Shadows Threat Researcher Kacey Clark explained.
“The group’s ransom demands require victims to make their payments in Bitcoin, & for each day a victim does not contact the attackers, the ransom demand increases by BTC 0.5.”
Clark added that Conti ransomware was ‘likely developed’ by the same group behind Ryuk ransomware.
“Ryuk version 2 code & Conti ransomware code maintain notable similarities, the Conti ransom note uses the same template utilised in early Ryuk ransomware attacks & Conti ransomware operators appear to leverage the same TrickBot infrastructure used in Ryuk ransomware attacks,” she observed.
Kaspersky researchers released a report Mon. that suggested ransomware will be one of cyber-security’s biggest threats in the year ahead, & pointed specifically to leak sites as the single biggest factor pushing up ransom prices.
“Due to their successful operations & extensive media coverage this year, the threat actors behind targeted ransomware systematically increased the amounts victims were expected to pay in exchange for not publishing stolen information,” Kaspersky researchers outlined.
“This point is important because it is not about data encryption anymore, but about disclosing confidential information exfiltrated from the victim’s network. Due to payment card industry security & other regulations, leaks like this may result in significant financial losses.”
It is up to organisations to shore up their defences in preparation for the next inevitable ransomware attack, researchers further noted.
The 1st line of defence is a regular, smart backup strategy, according to Shawn Smith, DevOps Engineer at nVisium.
“Attacks like this are why proper backups & disaster recovery plans are so vital,” Smith commented. “In the unfortunate event a breach manifests, as long as you have proper backups, you can restore files, resume operations & start to mitigate the fallout.
Attackers aren’t trustworthy given the nature of what they do, & if you put yourself in a situation where you’re forced to pay them money, your results may vary wildly depending on the group you have to deal with.”
In addition to regular data backups, basics like security awareness training, patching & antivirus protection are all crucial, says Daniel Norman, Senior Solutions Analyst at the Information Security Forum. He also recommended that organisations train for ransomware response.
“Organisations should have an incident-response or crisis-management plan for ransomware events, knowing who to contact & what to do,” Norman advised. “This should be regularly rehearsed so that if ransomware hits, the organisation can recover swiftly.”
Recovery or the Ransom?
While those preparations seem good, what about companies without either a backup or a strategy? Then it becomes which costs more, recovery or the ransom?
“Payment of a ransom is also a contentious discussion – in many cases the ransom may be cheaper than replacing a suite of locked devices,” Norman suggested . “Therefore, it becomes a cost-decision. However, you can never trust that the attacker will unlock the devices, so it remains a grey area.”