iTnews
  • Home
  • News
  • Technology
  • Security

Hackers ransom $3000 from NT business

By Darren Pauli on Sep 24, 2012 1:25PM
Hackers ransom $3000 from NT business

Vital financial data encrypted.

A Northern Territory business has been forced to pay a $3000 ransom to hackers who had encrypted its financial records.

The business found last week it was locked out of accessing vital credit and debitor invoice information stored on its network.

Hours after discovering the data, TDC Refrigeration and Electrical received an email demanding cash for the password.

Hackers had encrypted the data with 256 bit AES, IT manager Matt Cooper told SC.

“They had demanded the ransom within seven days, or it would go up another $1000, and again for every week the payment is late,” Cooper said. “I guess this is their way of making sure victims don’t try to crack the encryption.”

The money was paid by the request of the hackers through Western Union and Liberty Reserve, a favourite method of money transfer in underground circles. 

Attackers had in broken English claimed that child pornography was detected on the victim’s computer and payment must be made to unlock files, owner Jeremy Spoehr told ABC radio Alice Springs. 

Credit: Emsisoft

Two further Queensland businesses were also recent victims of ransomware attacks, according to Queensland Police. Those attacks appeared to use “unbreakable” encryption and were difficult to properly investigate and identify a source of the infection.

Detective Superintendent Brian Hay said those attacks were likely linked to drive-by-download websites which used web browser exploits to compromise machines.

Origin

While the origin of the TDC hackers has not yet been determined, several indicators pointed to Eastern European nations.

The hacking hotbed of Romania was linked to similar ransomware scams in many victim accounts. The method of attack also linked the attacks to the Eastern European nation: The hackers had accessed the financial data by a series of brute force password guesses likely using the DUBrute tool against vulnerable active Remote Desktop Protocol (RDP) connections, a method which the Australian Federal Police have linked to an organised criminal gang operating in the region.

That method was used in the attack which saw half a million credit cards fleeced from an Australian business, and 146,000 cards stolen from US merchants, including Subway restaurants.

Romanian cyber crime officials told current affairs program Today Tonight in March that cybercrime in that country was surging amid large raids by police.

Correspondence from the gang was professional too. Cooper said attackers immediately replied to correspondence and had provided detailed instructions to pay the ransom.

Moreover, Cooper could not find any similar victim accounts were attackers had taken ransom and not unlocked data, an act that could undermine the ransomware business model.

“We had to make sure they wouldn’t just run off with the cash, leaving us in a worse state,” he said.

Malware rising

The attackers had used a new malware variant designed for ransomware attacks. A new fourth variant of the ACCDFISA malware – so called because it purports to demand payment on behalf of the fictitious Anti Cyber Crime Department of Federal Internet Security Agency – was deployed by the attackers once the vulnerable RDP connection was accessed.

The first ACCDFISA malware strain was detected by Emsisoft in February. The subsequent three variants had increased in complexity and used different password generation methods and application names. It was capable of displaying a ransom notice and locking users out of their machines, encrypting files and deleting backups.

Later versions prevented users from entering safe mode and used two different passwords to encrypt files, preventing users from recovering data.

Cooper said that attackers were demanding larger ransoms be paid with each new variant.

“It started off with them asking for a hundred bucks, and now they’re up to $3000. I guess they are realising that can hit up businesses for a lot more money.”

Emsisoft said the best defensive measure was to increase RDP password security. It said there was no evidence to suggest the recent RDP vulnerability (MS12-020) was used in the attacks.

Queensland Police urged victims to contact police and anyone with knowledge of the attacks to contact Crimestoppers.

“While the loss of significant customer information is a distinct possibility, the risk you may have just provided a large volume of data to the attackers is very possible and must be addressed. The most important thing to do is to not respond to the emails and contact police,” Det Sup Hay said.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
accdfisafraudmalwarequeensland policeransomwarescamsecurity

Partner Content

Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
Why Genworth Australia embraced low-code software development
Promoted Content Why Genworth Australia embraced low-code software development
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage

Sponsored Whitepapers

Free eBook: Digital Transformation 101 – for banks
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see

Events

  • Forrester Technology & Innovation Asia Pacific 2022
By Darren Pauli
Sep 24 2012
1:25PM
0 Comments

Related Articles

  • Australian businesses lose $227 million to BEC-like scams
  • ACMA clamps down on SIM-swap frauds
  • Australian court finds insurer not liable for ransomware clean-up costs
  • Toll Group justifies ASD engagement times following ransomware attacks
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Telstra deregisters 900MHz sites “hindering” Optus 5G rollout

Telstra deregisters 900MHz sites “hindering” Optus 5G rollout
Aussie Broadband nears end of NBN PoI fibre rollout

Aussie Broadband nears end of NBN PoI fibre rollout
Defence, DEWR drop $160m on Microsoft software, Azure

Defence, DEWR drop $160m on Microsoft software, Azure
Transport for NSW exits Global Switch data centre

Transport for NSW exits Global Switch data centre

Digital Nation

Domino’s invests in observability for zero contact delivery
Domino’s invests in observability for zero contact delivery
Criteo to fork out $94.7m for consent breaches
Criteo to fork out $94.7m for consent breaches
Megatrends shaping the next 20 years: CSIRO
Megatrends shaping the next 20 years: CSIRO
COVER STORY: How KPMG, Mirvac and ASX use blockchain to build trust in the property sector
COVER STORY: How KPMG, Mirvac and ASX use blockchain to build trust in the property sector
Australia will lose 11 percent of jobs to automation by 2040: Forrester
Australia will lose 11 percent of jobs to automation by 2040: Forrester
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.