(Updated on January 25th, 2022)
RansomEXX ransomware hits Ecuador’s CNT and steals 190 GB of corporate data
The Coporacion Nacional de Telecommunicacion (CNT) of Ecuador has been a victim of a ransomware attack and it has affected their normal business operations, their payments portal and support services have also been impacted. Earlier this week, the CNT site broadcasted warning messages that their organization has been affected by a cyberattack, and their services aren’t accessible now.
The alert message displayed on their site was:
“Today, July 16, 2021, the National Telecommunications Corporation, CNT EP, filed a complaint with the State Attorney General’s Office for the crime of “attack on computer systems “so that the preliminary investigation is carried out and the responsible,”
“This attack affected the care processes in our Integrated Service Centers and Contact Center; In this regard, we indicate to our users that their services will not be suspended for non-payment.”
“We must inform our clients, massive and corporate, that their data is They are duly protected. We also inform that services such as calls, internet and television, operate normally.”
RansomEXX ransomware and CNT story
Although CNT stated that they suffered a cyber attack they didn’t state it to be a ransomware attack, however, it has been known to be a ransomware attack by a group called RansomEXX as reported by the security researcher German Frenandez, sharing the data leak site that has warned the CNT of the stolen data. But this link hasn’t been made public yet.
Below is the warning message shared by the RansomEXX group,
“Your time is LIMITED! When this time will come to end, there are two ways: we will RAISE the ransom amount or PUBLISH your files.You will lose the opportunity to contact us after the data PUBLICATION. If you REALLY WANT to prevent data leak, contact us RIGHT NOW. We have downloaded 190GB+ of your files and we are ready to publish it.” – RansomEXX.
This link is available only via direct access and not made public yet, which we believe is because it was available via the ransom note shared above.
CNT has made a press statement, which states that the customer and corporate information are safe and secured. However, on the other hand, RansomEXX have claimed that they own 190+ GB of CNT data and even shared some screenshots as proof of their claims. These proofs include the hidden data leakage behind CNT official info and this is directly contradicting with CNT’s press statement. These stolen data seems to include contact details, contracts and other logs of CNT.
RansomEXX and its history
This ransomware group has been attacking high-profile organizations recently, which includes Rio Grande do Sul court system, world’s largest meat producer JBS and nuclear weapons contractor Sol Oriens. Initially known as Defray in 2018, this ransomware group became very active since June 2020 after rebranding itself to RansomEXX and targeting premium enterprises.
This group has also affected Brazil’s government entities, Texas Department of Transport and Tyler Technologies with their RansomEXX ransomware attack.
How does RansomEXX ransomware actors operate?
Like any ransomware operators, RansomEXX will first breach into a network using stolen credentials, brute-force, password spraying, credential stuffing and other password breaching attacks. And then they try to exploits or vulnerabilities in the network components for further compromise and later gain access to the network.
As soon as the get the access to the network, they will try to spread laterally withing the network using RDP and open ports. Once they doing that they will start encrypting the files in individual devices by deploying the ransomware and also holding access to administrator password. With admin passwords they can corrupt system files and even cause havoc to more than just corporate data.
These ransomware operators wanted to target all the crucial devices and hence created the Linux versions and not limit themselves to Windows devices. This way they can target Linux servers including hypervisors and VMs.
How should enterprises keep their network vigilant against such threat actors?
Enterprises should start to take a proactive security approach to keep their network a less favorite target for ransomware operators.
They should follow the below best practices to ensure their network defenses are solid enough to keep ransomware out of their business operations,
- Always patch and update your system on-time
- Ensure your phishing defenses are solid, you can use tools like Graphus, Huntress, and Cyberhawk to keep your email communications secured.
- Verify your open ports, services and security misconfigurations in your network are identified and resolved.
- Always backups your data periodically, and probably use the 3-2-1 rule of backups to have three copies of data backups, in two different formats and at least one outside your geographical location.
- Your backups and disaster recovery plans should be verified and optimized on a mundane basis for healthy and secured data.
- Always follow the Zero Trust Model to keep your networks safe from unknown breaches via known devices.
While you work on the proactive side of security, it is equally important to build a reactive approach to ensure you know how to handle security incidents
- Always have a SIEM tool for first information on a security incident
- Studying enterprise logs will help security team to pick a threat that;’s actively exploiting your corporate network.
- Have an incident response plan in place to detect the attack, intimate authorities, and communicate the same to customers as per data breach regulation norms that applies to your business and country it belongs to. For example, if you are in Europe then GDPR will apply to you.
- Perform Red and Blue Team operations to identify vulnerable data points in your network and reinforce it using the right policies and configurations.
- Identity Access Management and Password Management with the right honeypot enabled environment can reduce and intimate your security professionals about any attack attempts at your corporate network.
Enterprises need to ensure they understand the importance of cybersecurity and has to be communicated to the stakeholders, employees and customers periodically with right security training and assessment for employees to avoid becoming a victim to phishing attempts and other malicious internet activity.
The case of CNT is just another story for us, but it is a critical incident for their organization and could potentially affect their operations, reputations and finances for the rest of this year. Build your defenses now and ensure you update them in periodic intervals to stay vigilant 24*7, keeping the attackers at bay.