Telecom Argentina, one of the largest internet service providers in Argentina, was hit by a ransomware attack. Ransomware operators infected roughly 18,000 computers during the weekend and now are asking for a $7.5 million ransom.
The incident took place on Saturday, July 18, it had a severe impact on the company operations. The attackers initially gained access to the company network, then they took control over an internal Domain Admin and used the access to infects thousands of machines.
The incident did not cause connectivity issues to the ISP’s customers, fixed telephony or cable TV services were not affected to.
Many websites operated by Telecom Argentina were taken offline by the attack. The security researcher German Fernandez speculated the involvement of REvil ransomware in the attack against Telecom Argentina.
Immediately after the attack was detected by the internal IT staff, the company warned its employees of not connecting its internal VPN network and avoiding opening emails with suspicious archive attachments.
REvil (Sodinokibi) ransomware gang published a page dedicated to the Telecom Argentina on its dark web payment portal.
The page on the portal shows a ransom demand of 109345.35 Monero coins (approximately $7.53 million). Anyway at the time of writing, the ransomware gang did not include Telecom Argentina in the list of its victims on its dark web leak site. The ransomware operators are threatening the ISP to double the ransom if it will not pay the ransom after three days.
Telecom Argentina was not the first ISP targeted by REvil ransomware operators, in May the gang infected systems at Sri Lanka Telecom.
Recently another ISP was hit by a ransomware attack, in early July Orange SA suffered an attack that reportedly exposed the data of 20 of its enterprise customers.
(SecurityAffairs – hacking, REVil ransomware)