Advantech, the chip manufacturer, has confirmed that it received a ransom note from a Conti ransomware operation on Nov. 26 demanding 750 Bitcoin, which translates into about $14 million, to decrypt compromised files and delete the data they stole.
Just to let Advantech know they weren’t bluffing, the scammers published a list of files from a stolen .zip archive on their leak site. The ransom note claimed that the 3.03GB of data posted on the leak site accounted for about 2 percent of the total amount of data lifted ripped off from Advantech.
Advantech specializes in internet-of-things (IoT) intelligent systems, Industry 4.0, machine automation, embedded computing, embedded systems, transportation and more.
A statement provided to Bleeping Computer on behalf of Advantech acknowledged the attack and said “the stolen data was confidential but only contained low-value documents.” The statement added that the company is recovering and “functioning normally,” and will not be commenting on whether the ransom was paid.
Ransomware Leak Sites
Professionalized ransomware groups including Conti, Ragnar Locker, Maze, Clop and others have been exploiting security holes created by the emergency shift to remote work due to the pandemic, coupled with well-publicized leak sites to wreak havoc and wring millions out of unsuspecting companies like Advantech. And in the case of Advantech, the longer it waits to decide, the more expensive the ransom gets.
“In August 2020, the Conti ransomware group created a data leak website, called Conti.News, following the trend of other highly successful ransomware variants, such as Maze, Sodinokibi and NetWalker,” Digital Shadows threat researcher Kacey Clark told Threatpost. “The group’s ransom demands require victims to make their payments in Bitcoin, and for each day a victim does not contact the attackers, the ransom demand increases by BTC 0.5.”
Clark added that Conti ransomware was likely developed by the same group behind Ryuk ransomware.
“Ryuk version 2 code and Conti ransomware code maintain notable similarities, the Conti ransom note uses the same template utilized in early Ryuk ransomware attacks and Conti ransomware operators appear to leverage the same TrickBot infrastructure used in Ryuk ransomware attacks,” she said.
Kaspersky researchers released a report Monday that said ransomware will be one of cybersecurity’s biggest threats in the year ahead, and pointed specifically to leak sites as the single biggest factor driving up ransom prices.
“Due to their successful operations and extensive media coverage this year, the threat actors behind targeted ransomware systematically increased the amounts victims were expected to pay in exchange for not publishing stolen information,” Kaspersky researchers said. “This point is important because it is not about data encryption anymore, but about disclosing confidential information exfiltrated from the victim’s network. Due to payment card industry security and other regulations, leaks like this may result in significant financial losses.”
It’s up to organizations to shore up their defenses in preparation for the next inevitable ransomware attack, researchers noted.
The first line of defense is a regular, smart backup strategy, according to Shawn Smith, DevOps engineer at nVisium.
“Attacks like this are why proper backups and disaster recovery plans are so vital,” Smith said in an email to Threatpost. “In the unfortunate event a breach manifests, as long as you have proper backups, you can restore files, resume operations and start to mitigate the fallout. Attackers aren’t trustworthy given the nature of what they do, and if you put yourself in a situation where you’re forced to pay them money, your results may vary wildly depending on the group you have to deal with.”
Besides regular data backups, basics like security awareness training, patching and antivirus protection are all key, according to Daniel Norman, senior solutions analyst at the Information Security Forum. He also recommended that organizations train for ransomware response.
“Organizations should have an incident-response or crisis-management plan for ransomware events, knowing who to contact and what to do,” Norman advised. “This should be regularly rehearsed so that if ransomware hits, the organization can recover swiftly.”
And while those preparations seem wise, what about companies stuck without either a backup or a strategy? Then it comes down to which costs more, recovery or the ransom?
“Payment of a ransom is also a contentious discussion – in many cases the ransom may be cheaper than replacing a suite of locked devices,” Norman said. “Therefore, it becomes a cost-decision. However, you can never trust that the attacker will unlock the devices, so it remains a grey area.”