Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service
Ransomware Attack Forces Norway Newspaper to Shut Presses
Amedia: Production Partly Restored, Investigation OngoingA ransomware attack has disrupted the operations of Norway-based media company Amedia, which publishes more than 70 newspapers for 2 million readers.
See Also: Gartner Guide for Digital Forensics and Incident Response
The Tuesday attack on the company's computer systems forced it to shut the presses, says Amedia's executive vice president of technology, Pål Nedregotten.
In a Wednesday update, the company said it would "take time before the situation is normal."
Although the attackers left a ransom note on the media company's infected computers, Amedia has no intention of paying ransom, the statement says. It says the company has shared the ransom note with the police.
As the central information systems of the company are still encrypted and out of order, alternate arrangements to reinstate production of the paper-based newspaper are being made, and only 20 of all the titles published by the media company will be printed on Thursday, the update adds.
"Alternative production of the paper newspaper on Thursday will apply to about 20 newspapers, while it is not yet possible for other newspapers to get the newspaper out. Efforts are being made to make the solution available to everyone from Friday," Amedia says.
The company did not respond to Information Security Media Group's request for additional details, such as the ransom amount sought, the infection vector and the identity of the attacker.
Initial Investigation
Amedia's initial investigation confirms that the "problems are limited to the systems managed by Amedia's central IT company, Amedia Teknologi," and that "Amedia's other systems work as normal."
If no newspapers can be published, it affects readers as well as advertisers who cannot place new orders for ads or see the ordered ones published, Nedregotten says.
Amedia's latest update confirms that its central information systems, which were targeted in the attack, contain personal data. The subscriber data includes name, address, mobile number, email address and subscription history, while employee data includes employment conditions/agreements, Social Security numbers and salaries.
"We do not yet know whether this information has actually been misused or not and are now working to map such matters in more detail," Amedia says. "It seems obvious that such data has been downloaded and we will inform the Norwegian Data Protection Authority about it."
On Tuesday, Nedregotten said that there was "no reliable information" on whether personal information of subscribers and employees had been compromised, but that "if personal information has gone astray, those affected will be informed as soon as possible."
PrintNightmare Vulnerability Exploited?
"People [attackers] have been in our systems for several days," local news platform Digi.no reported Nedregotten as saying in a digital press conference on Wednesday. "There is a known security hole in Windows that has been exploited, and it is therefore Amedia's Windows servers that have been affected."
Nedregotten did not mention the vulnerability exploited. A Twitter user who uses the name "cyb5r3Gene" and claims to be a security researcher from Norway says the threat actor exploited CVE-2021-1675 - the PrintNighmare vulnerability - to gain initial access and for subsequent lateral movement.
UPDATE: PrintNightmare CVE-2021-1675 was used for lateral movement… “The attackers have been inside the enterprise networks for many days!”-Amedia https://t.co/0BmX0PvEXQ https://t.co/VVbVxdJF7b
— Cyb5r3 Gene (@cyb5r3Gene) December 30, 2021
The Twitter user also says that the Vice Society ransomware group could be responsible for the attack, as the group has exploited the PrintNightmare vulnerability in the past (see: Ransomware Gangs Try to Exploit 'PrintNightmare' Flaws).
'Yes, There Are Backups'
While Amedia acknowledges that it is experiencing "serious" problems, the media group says it was ready with a disaster recovery plan. "Yes, there are backups. We are looking at how we can use these," Amedia says.
The process may take a while, as its team is looking at safe backup configurations while ensuring that it doesn't trigger a malicious script that initiates the attacks again. "We have engaged experts to help us in this area to ensure the safety of such solutions. We will provide new information on this as soon as we are ready," Amedia says.
Ransomware, a Persistent Problem
Businesses need to stop thinking that ransomware is somehow different from any other attack, Simon Edwards, CEO of security company SE Labs, tells Information Security Media Group.
"The hacker's playbook hasn't changed much over the years. Run some reconnaissance, gain access, escalate privileges and steal or destroy information. Attackers don't use magic because they don't need to. Tried and trusted hacking methods rule the day, as seems the case in this particular incident," Edwards says.
"People tend to think that hacking involves super-secret programs and the kind of arcane knowledge known only to a handful of shadowy computer nerds. But you can set yourself up as a pretty competent attacker with a handful of widely available books, some free software and access to YouTube," says Edwards.
Rather than fixating on one issue such as ransomware, Edwards recommends that organizations focus on ensuring that their environments are locked down sufficiently to prevent any type of attack, regardless of its payload. "Confirming that security measures and policies still meet the needs of the business on a regular basis will help shore up defenses," he tells ISMG.