Small Canadian financial services company vulnerable to ransomware
Small Canadian financial services company vulnerable to ransomware
A small accounting firm north of Toronto admitted to being hit by ransomware last month.
Naz Sukhram, the head of a financial services firm, confirmed on Tuesday that the company realized it had been hit on May 26 after its servers were encrypted.
"We thought we were a small company and would not be hit," he said in an interview.
The six-person firm provides tax and bookkeeping services for small businesses and individuals.
The recently discovered Gref ransomware group has claimed responsibility for the attack. One of the files posted on its data leak website as evidence appears to be a screenshot of a text conversation between two people on a cellphone. The top of the image reads, "Naz Sail." Sukharma said that he remembered that the conversation took place with an employee.
From the screenshot it appears to be the statement of the gang. “Naaz Financial's network was down, and we now have about 5GB of data from file servers, including company internal documents, personal and customer data. If this company keeps quiet, we will keep this data in accordance with our rules. " published in a phased manner.
Sukhram said that he did not know how much ransom was being demanded. He said the company did not click on the link of the attacker.
For the time being, their business is on hold as their IT support attempts to retrieve the server's data. Fortunately, he said, the office has been closed due to the pandemic and work has slowed down.
How the company was compromised is unknown. "We're not sure yet, we'll have to wait for the insurance company to send an investigator," he said. "We don't know if something was stolen, or just encrypted.
"Hopefully we'll be back up and running within a couple of weeks. Hopefully."
Meanwhile, employees and customers have been asked to check their financial statements.
The Grief ransomware group was identified by security researchers in late May. At the time, it listed five victims on its site, including a British furniture company, an Italian municipality, a U.N. County, a Dominican Republic service firm and a Mexican food service company.
News site SuspectFile.com says Greif issued a statement suggesting they would not follow a common strategy of other groups and negotiate ransom payments with the aggrieved firms.
Calling itself a "new generation", the statement said, "With no further discounting, brainwashing and long-term negotiations with lots of evidence, time is up. Game over for companies with long negotiations." is." , prefer pay or sorrow."
Rare to hear from victim SMBs
In an interview, British Columbia-based threat researcher Brett Callow for Emsisoft said that when people hear about ransomware attacks on major firms like U.S.-based Colonial Pipelines, the overwhelming majority of victims are small businesses.
"But because those incidents don't usually make the news, small businesses may not realize that they are still in the crosshairs [of attackers] and thus should not pay as much attention to security," he said. said.
He said that most attacks still succeed because of fairly common security mistakes. "So by paying attention to the fundamentals, small businesses can significantly reduce their chances of being the next victim."
Fundamentals include patching software as security updates are released, logging in to employees and customers, and training employees on proper cybersecurity procedures for using multifactor authentication as an added measure of security.
Security researchers talk about ransomware groups focusing on "big game hunting" -- looking for bigger targets like big corporations and governments. But, he added, "they tend to be completely indiscriminate and will attack whatever they can."
He said the group, known as Evil Corp, is focused on bigger goals.
The targeted organizations are often chosen and initially infected by affiliated gangs of ransomware groups, he said, rather than the developers. A portion of the ransom paid is paid to these affiliated groups.
Separately, the Revil ransomware gang says the western Canadian hotel chain is one of its latest victims. As evidence, it has posted copies of people's driving licenses, passports, job applications and insurance benefit claims, which the hotel chain says were copied from files. ITWorldCanada.com has left two messages for the company's chief executive, but has received no response.
one more warning
Meanwhile, BlackBerry today issued a warning that the Psya/Mespinoza ransomware group is using an enhanced version of a remote access Trojan written in the Go language to infiltrate Windows systems. Dubbed Auntie, Blackberry says this is another entry in the extensive list of malicious software written in Golang, a relatively young programming language.
No comments