Ransomware Gang Demands $7.5 Million From Argentinian ISP

A ransomware gang has infected the internal network of Telecom Argentina, one of the country's largest internet service providers, and is now demanding $7.5 million as ransom to unlock encrypted files. From a report: The incident took place over the weekend, on Saturday, July 18, and is considered one of Argentina's biggest hacks. Sources inside the ISP said hackers caused extensive damage to the company's network after they managed to gain control over an internal Domain Admin, from where they spread and installed their ransomware payload to more than 18,000 workstations. The incident did not cause internet connectivity to go down for the ISP's customers, nor did it affect fixed telephony or cable TV services; however, many of Telecom Argentina's official websites have been down since Saturday. Since the attack's onset, multiple Telecom employees have now also taken to social media to share details about the incident, and how the ISP has been managing the crisis.

I hope that don't pay

[dhaen]

If they pay it's a downward spiral...

Rudyard Kipling

[davidwr]

"We never pay any-one Dane-geld,
        No matter how trifling the cost;
For the end of that game is oppression and shame,
        And the nation that plays it is lost!"

- Dane-Geld [archive.org] , Rudyard Kipling, 1911

Um, can you say "backups"?

[davidwr]

Having good backups and a good restore mechanism is something you should've been doing all along, even before ransomware became a problem.

Re:

[WankerWeasel]

Far easier said than done. Do you have backups for 18,000 machines across your network?

Re:

[pak9rabid]

Not each machine individually, but if they're smart all of the important files should have been served up via some NAS device that gets backed up, as well as the image(s) for the OS.

Re:

[awwshit]

How quickly can you re-image 18000 computers? And if you don't know exactly what happened and have some prevention in place now, should you re-image 18000 desktops?

Re: Um, can you say "backups"?

[nadm83]

Actually they have and they did. I have two friends working on IT there. They had a hellish weekend, spent 48 hrs without sleep but everything is back to BAU now. Pretty impressive taking into account the scale of the breach

Re:

[gweihir]

How quickly can you re-image 18000 computers? And if you don't know exactly what happened and have some prevention in place now, should you re-image 18000 desktops?

That depends entirely on whether you were prepared for that case or not. If not, it can take weeks, even months. If you were prepared, a few days at most. What you need is image-servers that can handle the load and step-by-step instructions you hand out to anybody with some IT expertise to re-image the laptops. Of course, that also means you have some powerful enough mechanism to install customization and to create new logins for everybody. Hence if you are prepared (and have tested the DR mechanisms), rein

Re: Um, can you say "backups"?

[nadm83]

They were not laptops, they were vdis

Re:

[gweihir]

They were not laptops, they were vdis

Does not matter.

Re:

[earl pottinger]

Yes, I remember reimaging a thousand computers in a single work day (8 hours) and that was with a small team and one central server. I expect a ISP can do a far better job unless they hire sub-standard help or did not do proper backups.

Re:

[HiThere]

That really depends on what software was on those computers. Was it identical? And whether the machines themselves are very different...e.g. do they require customization, or will one size fit all. If there's a lot of variation, then even if you're fully prepared, recovery can take awhile, and be a real pain. Also, you need to be prepared to lose some data. Anything that wasn't changing for the past (some amount of time) should be restored, but changes will be reverted. This might mean, e.g., that som

Re:

[grasshoppa]

All critical data is backed up. If folks are storing data on their location workstations, then A) it's not critical and B) they're violating company policy.

Re:

[geekmux]

Having good backups and a good restore mechanism is something you should've been doing all along, even before ransomware became a problem.

As I've reiterated to many a cloud superfan, there's a fundamental difference between online backups, and offline backups.

That fundamental difference becomes painfully obvious when you find backup files encrypted and unusable.

Life goes on

[eneville]

So the routing and services probably ran on Cisco and GNU/Linux, got no threats there. Spreadsheet jobs probably ran on windows. Want to avoid domain takeovers then use Linux on the desktop. Want belt and braces, selinux.

Linux is not immune to hacks

[davidwr]

Using Linux on the desktop, or macOS for that matter, may lower your risk from indiscriminate attackers, but it won't help much with a determined well-funded adversary doing a targeted attack.

Hardened OSes help a lot, but you can do more.

If you are worried about data being erased or over-written, have offsite real time backups and historical backups, along with a way to find out which backups are "good" and which are compromised.

If you are worried about data exfiltration, stay off the net if you can, and us

Re:

[HiThere]

Yes/no. Linux *is* a harder target, if only because the installations are less uniform (and there are other reasons), but it's also true that you can do more to harden Linux machines than you can on MSWindows machines. And Unix is even more that way. But the additional hardening requires additional skills, and not only to set up.

I don't know about currently, but around 15-20 years ago now Apple was the "sweet spot" of maximally hardened and easiest to use.

Re:

[eneville]

Yes/no. Linux *is* a harder target, if only because the installations are less uniform (and there are other reasons), but it's also true that you can do more to harden Linux machines than you can on MSWindows machines. And Unix is even more that way. But the additional hardening requires additional skills, and not only to set up.

I don't know about currently, but around 15-20 years ago now Apple was the "sweet spot" of maximally hardened and easiest to use.

Working in a place where both Windows and Linux co-exist, I'd say the Linux installs outlive the Windows by some years. The only Linux casualties I know of were where Linux wast the guest OS on a Windows host (why they were setup that way I do not know).

Windows is quiet less uniform than Linux in many ways due to the variety of fuckups I've seen. However, when it comes to a uniform entry point, it's AD or file sharing all the way. Getting away form MS just because MS is everywhere seems the smart thing to d

Re:

[eneville]

If you are worried about data being erased or over-written, have offsite real time backups and historical backups, along with a way to find out which backups are "good" and which are compromised.

What you want is tape backup duplicated offsite and kept *offline*. The last thing you want is backup (archive) data online during a network breach.

Fortunately, it's also extremely unlikely to happen in our lifetimes or the lifetimes of our children's children's children. But it could happen.

Are you talking about a Linux catastrophe or the asteroid, it's hard to tell!

I can see what happened in my head

[bobstreo]

IT Security Report: And here are the current issues with our network perimeter and a comprehensive list of issues we need to address right away, and it will cost "$XXXXX" to do it correctly.

Senior Corporate MBA type: "Can we just not do any upgrades, updates, or pretend this report doesn't exist?"

Other Corporate MBA type: "Sure, think of the money we'll save, and what's the worst that can happen?"

Re:

[earl pottinger]

If only you can get this in writing for later when the CEO calls for a review.

Re:

[bobstreo]

If only you can get this in writing for later when the CEO calls for a review.

Rule 2 of Management club: "Put nothing in writing that can come back to haunt us."

Re:

[Solandri]

You left out part 2:

Senior Corporate MBA type: "The head of IT keeps bugging us with this thing about fixing the network issues."

Other Corporate MBA type: "Just fire him and replace him with someone who'll do the IT work but won't bother us about spending more money."

And part 3:

Head of IT: "We were hacked because we didn't spend the money to address these newly-discovered network and security issues." (Because he was hired because he was ignorant of this stuff.)

Both Corporate MBA types: "It w

joke is on the hackers

[asadodetira]

Demanding multi millions is risible in todayâ(TM)s Argentina economy. They should demand soy or beef to have a chance.

I wish Re:joke is on the hackers

[davidwr]

The demand is 109345.35 Monero coins.

Now, whether Monero is more or less stable than the Argentine peso against soy or beef, well, I won't hazard a guess.

Why panic?

[grasshoppa]

I'd love for this story to end with..."and then I remembered I had backups, so I told them to bugger off".

That it doesn't end like that means folks need to be fired.

Re:

[gweihir]

I'd love for this story to end with..."and then I remembered I had backups, so I told them to bugger off".

That it doesn't end like that means folks need to be fired.

And that would be folks pretty high up. The CISO and the CEO come to mind, because they did not protect their company adequately.

Re:

[grasshoppa]

Yup; this is one of the few things the CIO/CTO need to have absolute awareness of.

Actually, this is one of those rare IT things that the CFO, CEO, CIO AND CTO need to have attention on, given the scope of any potential problems.

Re:

[gweihir]

Completely agree. This is risk management, technological measures just follow. Risk management not being done or quality not being assured is a leadership failure.