Telecom Argentina, the country’s biggest telecommunications service, is the latest addition to the list of REvil ransomware group’s list of victims, following a cyberattack launched over the weekend.
On Saturday, July 18, the cybercriminal gang infected Telecom’s call center. According to ZDNet, sources within the ISP provider said hackers caused “extensive damage to the company’s network” after accessing an internal Domain Admin, where they deployed their ransomware payload to over 18,000 workstations across the company.
“The incident did not cause internet connectivity to go down for the ISP’s customers, nor did it affect fixed telephony or cable TV services; however, many of Telecom Argentina’s official websites have been down since Saturday,” ZDNet reported.
In a note, the gang demanded a ransom of 109k Monero, equivalent to $7.5 million, to decrypt the impacted files. Payment must be made within two days. In case the company fails to meet the deadline, the original price will be doubled to $15 million.
Telecom Argentina, however, said it “managed to contain” the attack on its platform.
“No critical services of the company were affected. It should also be noted that no client of the company was affected by this situation, as well as the bases of company data. Customer service efforts suspended preventively, will be gradually restored,” the company wrote in a statement issued to local media outlets.
On social media, images of a memorandum allegedly issued to Telecom Argentina employees have been circulating, showing the firm instructing them to limit their use of the corporate’s network and withdraw from opening suspicious emails.
While no ransomware group has claimed responsibility to the attack, a now-deleted tweet shows a screenshot of REvil ransomware gang’s dark web portal showing a ransom demand of 109345.35 Monero coins or $7.53 million – the same ransom being demanded from Telecom Argentina.
To date, the ISP provider has not provided any comment on the incident nor did it say if it intends to pay the ransom at all.
First detected on April 17, 2019, REvil ransomware is a type of malware used by a group of cybercriminals targeting big companies for bitcoin ransom.
“It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers,” explained Secureworks on a 2019 post about the malware.
The latest attack against Telecom Argentina makes the company the second internet service provider to had been victimized by the REvil gang, following Sri Lanka Telecom in May.