3rd Party Risk Management , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Security Firm Prosegur Hit By Ryuk Ransomware
Incident May Have Disrupted Networked Security CamerasGlobal security company Prosegur says that Ryuk ransomware caused an outage on Wednesday, which some people claimed hampered networked alarms.
See Also: How Healthcare Can Stay Ahead of Ransomware Attacks
In a tweet, the company says the ransomware “has been fully contained and the company has already deployed all the necessary mitigatory controls. Likewise, Prosegur has already begun the process of restoring its service.”
Update on incident of information security (II) pic.twitter.com/Qd0EUxy03P
— Prosegur (@Prosegur) November 28, 2019
Madrid-based Prosegur didn’t detail the ransom demanded by its Ryuk-wielding attackers or whether company officials have considered paying it. Some cyber insurance policies will cover the cost of paying all or part of a ransom. But many security experts and law enforcement officials warn that paying ransomware drives cybercriminals to continue such attacks.
Prosegur offers a variety of security services, including guards and armored vehicles for moving cash. It also develops alarm systems, security monitoring applications and cash-handling systems. The company is a large player globally, sporting more than 170,000 employees.
Alarm Trouble
Prosegur’s website went offline on Thursday but it’s now back online, says U.K. security researcher Kevin Beaumont.
The incident may have disrupted networked alarm systems. Beaumont tweeted screenshots of tweets from users who appeared to be reporting difficulty.
Prosegur incident is just over a day old, customers and resellers are taking to Twitter saying alarms aren’t working and resellers saying they’re getting abusive calls from their customers. An entire ecosystem of security and cash handling services are up in the air. pic.twitter.com/dGtfMRr3Y4
— Kevin Beaumont (@GossiTheDog) November 28, 2019
The company has remained oblique about the broader effects of the attack. Efforts to reach a Prosegur spokesperson on Friday outside of business hours were not immediately successful.
Investigation Underway
In its Twitter statement, Prosegur says it has “initiated an investigation in order to determine the typology of the incident, its behavior, evaluation of the scope and definition of containment and recovery procedures, all of the them included in a response plan for incidents of information security.” The company says it has established a multidisciplinary team to investigate.
Prosegur also noted that the Ryuk ransomware has hit other organizations in Spain over the past few months. In fact, Ryuk has taken a toll worldwide this year (see 11 Takeaways: Targeted Ryuk Attacks Pummel Businesses).
The U.S. Department of Health and Human Services warned on Aug. 30 of the threat Ryuk poses to healthcare organizations. Ryuk infections often carry a ransom demand of between 15 to 50 bitcoins - worth $114,000 to $380,000 as of Friday - according to Check Point Software Technologies research cited by HHS. Check Point and other security companies believe Ryuk is has been derived from the Hermes ransomware (see Alert: 'Ryuk' Ransomware Attacks the Latest Threat).
Ryuk-wielding attackers typically target victims via malicious emails, which oftentimes drive them to sites hosting exploit kits, HHS says. Such exploit kits typically try to attack the computer using various software vulnerabilities. If those flaws get successfully exploited, the exploit kit can install and execute malicious code - such as ransomware - on the targeted system.
Cybersecurity firm CrowdStrike believes that Ryuk is run by a group - dubbed “Wizard Spider” in CrowdStrike parlance - likely operating from Russia. That same group has been tied to Trickbot malware, which is an advanced banking Trojan that’s been around for at least three years, the security firm says (see TrickBot Variant Enables SIM Swapping Attacks: Report).