[BreachExchange] Conti Gang Hits IoT Chipmaker Advantech with $14M Ransom Demand

[Destry Winant]

https://threatpost.com/conti-iot-chip-advantech-ransom-demand/161691/

The ransomware group has leaked stolen data to add pressure on the
company to pay up.

Advantech, the chip manufacturer, has confirmed that it received a
ransom note from a Conti ransomware operation on Nov. 26 demanding 750
Bitcoin, which translates into about $14 million, to decrypt
compromised files and delete the data they stole.

Just to let Advantech know they weren’t bluffing, the scammers
published a list of files from a stolen .zip archive on their leak
site. The ransom note claimed that the 3.03GB of data posted on the
leak site accounted for about 2 percent of the total amount of data
lifted ripped off from Advantech.

Advantech specializes in internet-of-things (IoT) intelligent systems,
Industry 4.0, machine automation, embedded computing, embedded
systems, transportation and more.

A statement provided to Bleeping Computer on behalf of Advantech
acknowledged the attack and said “the stolen data was confidential but
only contained low-value documents.” The statement added that the
company is recovering and “functioning normally,” and will not be
commenting on whether the ransom was paid.

Ransomware Leak Sites

Professionalized ransomware groups including Conti, Ragnar Locker,
Maze, Clop and others have been exploiting security holes created by
the emergency shift to remote work due to the pandemic, coupled with
well-publicized leak sites to wreak havoc and wring millions out of
unsuspecting companies like Advantech. And in the case of Advantech,
the longer it waits to decide, the more expensive the ransom gets.

“In August 2020, the Conti ransomware group created a data leak
website, called Conti.News, following the trend of other highly
successful ransomware variants, such as Maze, Sodinokibi and
NetWalker,” Digital Shadows threat researcher Kacey Clark told
Threatpost. “The group’s ransom demands require victims to make their
payments in Bitcoin, and for each day a victim does not contact the
attackers, the ransom demand increases by BTC 0.5.”

Clark added that Conti ransomware was likely developed by the same
group behind Ryuk ransomware.

“Ryuk version 2 code and Conti ransomware code maintain notable
similarities, the Conti ransom note uses the same template utilized in
early Ryuk ransomware attacks and Conti ransomware operators appear to
leverage the same TrickBot infrastructure used in Ryuk ransomware
attacks,” she said.

Ransomware Rising

Kaspersky researchers released a report Monday that said ransomware
will be one of cybersecurity’s biggest threats in the year ahead, and
pointed specifically to leak sites as the single biggest factor
driving up ransom prices.

“Due to their successful operations and extensive media coverage this
year, the threat actors behind targeted ransomware systematically
increased the amounts victims were expected to pay in exchange for not
publishing stolen information,” Kaspersky researchers said. “This
point is important because it is not about data encryption anymore,
but about disclosing confidential information exfiltrated from the
victim’s network. Due to payment card industry security and other
regulations, leaks like this may result in significant financial
losses.”

It’s up to organizations to shore up their defenses in preparation for
the next inevitable ransomware attack, researchers noted.

Ransomware Defenses

The first line of defense is a regular, smart backup strategy,
according to Shawn Smith, DevOps engineer at nVisium.

“Attacks like this are why proper backups and disaster recovery plans
are so vital,” Smith said in an email to Threatpost. “In the
unfortunate event a breach manifests, as long as you have proper
backups, you can restore files, resume operations and start to
mitigate the fallout. Attackers aren’t trustworthy given the nature of
what they do, and if you put yourself in a situation where you’re
forced to pay them money, your results may vary wildly depending on
the group you have to deal with.”

Besides regular data backups, basics like security awareness training,
patching and antivirus protection are all key, according to Daniel
Norman, senior solutions analyst at the Information Security Forum. He
also recommended that organizations train for ransomware response.

“Organizations should have an incident-response or crisis-management
plan for ransomware events, knowing who to contact and what to do,”
Norman advised. “This should be regularly rehearsed so that if
ransomware hits, the organization can recover swiftly.”

And while those preparations seem wise, what about companies stuck
without either a backup or a strategy? Then it comes down to which
costs more, recovery or the ransom?

“Payment of a ransom is also a contentious discussion – in many cases
the ransom may be cheaper than replacing a suite of locked devices,”
Norman said. “Therefore, it becomes a cost-decision. However, you can
never trust that the attacker will unlock the devices, so it remains a
grey area.”