[BreachExchange] Security Firm Prosegur Hit By Ryuk Ransomware

Destry Winant destry at riskbasedsecurity.com
Mon Dec 2 10:12:26 EST 2019


Global security company Prosegur says that Ryuk ransomware caused an
outage on Wednesday, which some people claimed hampered networked

In a tweet, the company says the ransomware "has been fully contained
and the company has already deployed all the necessary mitigatory
controls. Likewise, Prosegur has already begun the process of
restoring its service."

Madrid-based Prosegur didn't detail the ransom demanded by its
Ryuk-wielding attackers or whether company officials have considered
paying it. Some cyber insurance policies will cover the cost of paying
all or part of a ransom. But many security experts and law enforcement
officials warn that paying ransomware drives cybercriminals to
continue such attacks.

Prosegur offers a variety of security services, including guards and
armored vehicles for moving cash. It also develops alarm systems,
security monitoring applications and cash-handling systems. The
company is a large player globally, sporting more than 170,000

Alarm Trouble

Prosegur's website went offline on Thursday but it's now back online,
says U.K. security researcher Kevin Beaumont.

The incident may have disrupted networked alarm systems. Beaumont
tweeted screenshots of tweets from users who appeared to be reporting

Prosegur incident is just over a day old, customers and resellers are
taking to Twitter saying alarms aren’t working and resellers saying
they’re getting abusive calls from their customers. An entire
ecosystem of security and cash handling services are up in the air.

The company has remained oblique about the broader effects of the
attack. Efforts to reach a Prosegur spokesperson on Friday outside of
business hours were not immediately successful.

Investigation Underway

In its Twitter statement, Prosegur says it has "initiated an
investigation in order to determine the typology of the incident, its
behavior, evaluation of the scope and definition of containment and
recovery procedures, all of the them included in a response plan for
incidents of information security." The company says it has
established a multidisciplinary team to investigate.

Prosegur also noted that the Ryuk ransomware has hit other
organizations in Spain over the past few months. In fact, Ryuk has
taken a toll worldwide this year (see 11 Takeaways: Targeted Ryuk
Attacks Pummel Businesses).

The U.S. Department of Health and Human Services warned on Aug. 30 of
the threat Ryuk poses to healthcare organizations. Ryuk infections
often carry a ransom demand of between 15 to 50 bitcoins - worth
$114,000 to $380,000 as of Friday - according to Check Point Software
Technologies research cited by HHS. Check Point and other security
companies believe Ryuk is has been derived from the Hermes ransomware
(see Alert: 'Ryuk' Ransomware Attacks the Latest Threat).

Ryuk-wielding attackers typically target victims via malicious emails,
which oftentimes drive them to sites hosting exploit kits, HHS says.
Such exploit kits typically try to attack the computer using various
software vulnerabilities. If those flaws get successfully exploited,
the exploit kit can install and execute malicious code - such as
ransomware - on the targeted system.

Cybersecurity firm CrowdStrike believes that Ryuk is run by a group -
dubbed "Wizard Spider" in CrowdStrike parlance - likely operating from
Russia. That same group has been tied to Trickbot malware, which is an
advanced banking Trojan that's been around for at least three years,
the security firm says (see TrickBot Variant Enables SIM Swapping
Attacks: Report).

More information about the BreachExchange mailing list