Ransomware, Breach, Content

Ransomware Hackers Hit Ukraine’s Energy Ministry Website

Hackers dismantled Ukraine’s energy ministry website on Tuesday, encrypting files in a targeted ransomware attack that officials deemed an “isolated incident.”

The cyber kidnappers posted on the website a message in English demanding 0.1 Bitcoin, equivalent to about $940, to retrieve the encrypted files, Reuters reported. A Ukrainian cyber police official said the energy ministry’s email was operational and that no other government websites had been compromised.

At this point, the Ukrainian government has not indicated if it will acquiesce to the relatively small ransom demand or when it expects the downed site will be up and running.

Security specialist AlienVault told the BBC that the attack appears to be the work of two different cyber gangsters. The first bad actor, going by the name “X-zakaria,” set fire to the webpage while a second, perhaps opportunistic, extortionist encrypted files and put up a ransomware screen with a demand for money. There's no evidence to say the attackers worked in tandem.

"What has probably happened here is that a hacktivist has hacked the site for fun, then the criminal ransomware attacker has used their backdoor, which you can see at the bottom of the page, to try and make some money," AlienVault security researcher Chris Doman told the BBC.

Ukraine has routinely blamed Russia for cyber attacks inflicted on its critical infrastructure but it's unlikely these hackers were nation-state sponsored, Doman suggested. “In this case, the evidence points to something more mundane," he said.

What’s always difficult to tell with any certainty is if an attack is a trial balloon for something far larger and more sinister to follow. Certainly, there are substantial precedents. Last October, a ransomware attack called Bad Rabbit, thought to be a new Petya malware variant, spread from Russia and the Ukraine to countries worldwide, including the U.S. That attack affected systems at three Russian websites, an airport in Ukraine and an underground railway in Kiev.

Three months earlier a far more extensive and insidious ransomware attack hit Ukraine's government, national bank, transportation services and largest power companies in an online extortion that quick spread worldwide and infected a number of critical infrastructure providers. The attack, fueled by the NotPetya malware, reverberated to some multinational corporations, including Federal Express, drug giant Merck, legal firm DLA Piper, global shipper Maersk and Nivea.

Overall, while the number of ransomware variants has shrunk, the incidents have increased. In February, Christopher Young, McAfee CEO, told CNBC that ransomware is “today’s modern-day extortion and it's something that criminals are going to continue to drive because they can make money, and that's something that we're very concerned about.”

According to Verizon’s 2018 Data Breach Investigations Report, ransomware attacks accounted for nearly half of all malware incidents in 2017, making it the “most prevalent variety of malicious code” in 2017.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.