Ecuador’s state-run Corporación Nacional de Telecomunicación (CNT) has been hit by RansomEXX Ransomware, which has led to a disruption of general operations, customers services, and its payment portal. CNT is operated by the government and offers citizen fixed-line phone service, as well as mobile, TV, and internet connectivity.
Last week, the CNT website began to display a warning, informing users they had been hit by Ransomware.
Starting this week, the CNT website began displaying an alert warning that they suffered an attack and that customer care and online payment are no longer accessible.
“Today, July 16, 2021, the National Telecommunications Corporation, CNT EP, filed a complaint with the State Attorney General’s Office for the crime of “attack on computer systems “so that the preliminary investigation is carried out and the responsible,” read the alert translated into English.
“This attack affected the care processes in our Integrated Service Centers and Contact Center; In this regard, we indicate to our users that their services will not be suspended for non-payment.”
“We must inform our clients, massive and corporate, that their data is They are duly protected. We also inform that services such as calls, internet, and television, operate normally.”
CNT did not officially state what strain of ransomware they were attacked with, however, cybersecurity researchers at BleepingComputer learned the attack was conducted by RansomEXX Ransomware.
Researcher Germán Fernández shared a hidden link to the cybercriminals data leak site that warns CNT would leak data if CNT did not pay the ransom.
“Your time is LIMITED! When this time will come to end, there are two ways: we will RAISE the ransom amount or PUBLISH your files. You will lose the opportunity to contact us after the data PUBLICATION. If you REALLY WANT to prevent data leaks, contact us RIGHT NOW. We have downloaded 190GB+ of your files and we are ready to publish it.” The leak from RansomEXX Ransomware said
In a press statement, CNT said corporate and customer data are secured and have not been exposed by RansomEXX Ransomware, though that may be the case. Not only do the gang claim to have 190GB of data, but they have also shared screenshots of some of the documents on their leak site. These screenshots include contact lists, contracts, and support logs.
RansomEXX Ransomware is responsible for numerous high-profile attacks, including Brazil’s Rio Grande do Sul court system, nuclear weapons contractor Sol Oriens, and JBS, the world’s largest meat producer.
The strain was initially launched under the name Defray in 2018 but rebranded in 2020.
Like other ransomware gangs, RansomEXX will compromise a network through purchased credentials, brute-forced RDP servers, or by utilizing exploits. Once they gain access to a network, they will quietly spread throughout the network while stealing unencrypted files to be used for extortion attempts.
Interestingly, RansomEXX Ransomware also has a Linux variant, to ensure it can attack critical servers and virtual machines.
The RansomEXX gang has a history of high-profile attacks, including Brazil’s government networks, Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics, and Tyler Technologies.
RansomEXX Ransomware Analysis
Note: This analysis was carried out by Cybereason.
TheRansomEXX family, also known as Defray777 and Ransom X, runs as a solely in-memory payload that is not dropped to disk, making it highly evasive. RansomEXX was involved in three major attacks in 2020 against Texas TxDOT in May of 2020, against Konica Minolta in the end of July, and against Brazil’s court system in the beginning of November.
In addition, last December RansomEXXRansomware operators published stolen credentials from Embraer, one of the largest aircraft makers in the world, on its own leaks website as part of the ongoing double extortion trend.
In mid 2020, a Linux variant of RansomEXXRansomware emerged. This variant, despite sharing similarities with the Windows variant, is simpler than its predecessor and lacks many features such as disabling security software and command and control communication. There are decryptors for both variants, and the threat actors send paying victims a private key to decode their files.
This analysis focuses on the Windows variant of RansomEXX, which can be classified as fileless malware because it is reflectively loaded and executed in memory without touching the disk. Analysis of this sample reveals that it is partially obfuscated but includes indicative information such as the “ransome.exx” string that can be seen hard coded in the binary.
Upon execution, RansomEXX Ransomware starts decrypting some strings necessary for its operation. The mutex the malware creates is generated from the GUID of the infected machine.
RansomEXXRansomware spawns a separate thread in the background to handle the logging process. The malware then continues with terminating processes and system services that may interfere with the execution, but excludes those that are relevant for its execution:
Cybereason detects the execution of RansomEXXRansomware together with commands that are executed post-encryption. These commands’ role is to prevent the victim from restoring their system by deleting backups, Windows error recovery etc. Cybereason also detects this malicious usage of Windows utilities.
After preparation of the environment RansomEXX Ransomware encrypted the files on the victim’s machine and the following note is left on the machine:
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.