Delaware, USA – November 28, 2019 – Another Spanish company was forced to interrupt operations this month due to a ransomware attack. Wednesday morning Prosegur, a worldwide private security company, faced a cybersecurity incident disrupting its telecommunication platform. The attack affected all company’s locations in Europe; Prosegur shut down its network and restricted communications with customers to avoid further spreading of ransomware, website and phones were also disabled. Adversaries launched an attack on the Spanish office at 4 am in local time, it is not known what damage the organization suffered before the network was disabled. According to Derecho de la Red, ransomware added .RYK extension to encrypted files, later Prosegur confirmed that “the incident corresponded to a generic attack, caused by the Ryuk ransomware.” At 9 pm, the security teams were able to restore the site but during the surf, it occasionally still displays errors: “Due to maintenance, the site is momentarily out of service”.
Earlier this month, another major managed services provider suffered a similar incident. Systems of Everis were infected with BitPaymer ransomware and adversaries demanded €750,000 for the decryption key. Ryuk gang has higher appetites, the group recently infected an IT company that provided access management, security, and cloud data hosting to more than 100 nursing homes across the United States and demanded $14 million to restore encrypted data. Also recently, some ransomware gangs started to steal sensitive data before file encryption, in order to be able to put additional pressure on the attacked companies. According to the BleepingComputer, the threat actor behind Maze ransomware published 700 MB of files stolen from Allied Universal company to force them to pay 300 bitcoins ransom.
Content available on Threat Detection Marketplace to detect the threat:
Emotet Process Creation – https://tdm.socprime.com/tdm/info/9U8NXanTx6TC/
Emotet Trojan detector (Sysmon) – https://tdm.socprime.com/tdm/info/Dg6aXfaxOLWX/
Ryuk Ransomware (Sysmon) – https://tdm.socprime.com/tdm/info/dZKqRzZUY7ki/
Ryuk Ransomware – https://tdm.socprime.com/tdm/info/e5l7zmQQ6jzP/
Ryuk Ransomware Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/vZQdVgPbH0b7/