RansomEXX virus is responsible for the cyberattack on CNT

The public company Corporación Nacional de Telecomunicaciones (CNT) is experiencing a complex situation due to a cyber attack. Last Thursday, July 22, 2021, the Minister of Telecommunications, Vianna Maino, confirmed that it was an attack by a computer virus from the RansomEXX family.

The Minister of Telecommunications explained the situation of the state telephone company.

“This type of threat can attack various instances: the physical place, the network or the databases, ” said the Minister and specified that, in the case of CNT, “it only affected computer systems.”

Thus, the operation of areas such as billing, activations and recharges was altered.

A list of high-profile entities

EL COMERCIO accessed, through an encrypted and amnesiac system, the address on the ‘ deep web ‘. There are ‘links’ to various attacks carried out with the same code.

Among the institutions previously attacked are the Castelló City Council, in Spain; the Japanese manufacturer of printing equipment Konica Minolta; Pertamina EP, an Indonesian public oil firm; Ultrapar Participações SA, a Brazilian fuel transportation company; the Texas Department of Transportation, in the United States; Embraer SA, a Brazilian aerospace conglomerate; among others.

When entering the CNT link, there are 23 links with information allegedly stolen. But Maino said yesterday that there is no evidence that sensitive information has been compromised or stolen.

Each of the links contains 500 megabytes. In total they add up to around 11.23 gigabytes. According to the group of cybercriminals initially, they could have downloaded 190 gigabytes in internal files of the telecommunications company.

EL COMERCIO downloaded some of these files compiled in 23 .zip files to a secure storage. Before starting, through the MD5 hash, this Journal verified that the files matched the hash provided.

MD5 is a cryptographic reduction algorithm commonly used for download verification. When a minimal part of any file is modified, the value of the MD5 changes. Thus, if a downloaded file matches the hash provided, it means that it has not been altered.

Temporary solutions for clients

Due to the prompt response of the state entity, it was also possible to maintain the operation of the services offered (fixed telephony, mobile and Internet).

Maino admitted that there is slowness in “interconnections” with other entities, such as the Civil Registry. “This has been due to the reinforcement of security,” said the official.

For cybersecurity expert Fabricio Zules, data protection and hacking control work can take a few weeks.

For now, the Minister affirmed that user services such as surcharges and payments by banks are 100% operational, with the exception of the services in CNT agencies “due to security protocols.” In addition, customers who have not been able to cancel their pending values ​​will not have their service cut off or additional values ​​will be applied for late payments or penalties.

The prepaid lines that have made ups in recent months will receive a bonus of 1 GB Internet at no extra cost, which is automatically activated and will be communicated in the coming days, the public company said.

Anatomy of a ransomwre

Ransomware is a form of extortion in which the attacker encrypts the information stored on the compromised system, with a decryption key that only the cybercriminal has access to. To deliver the key, the attacker asks for a ransom.

A ransomware has two main characteristics:

1. By penetrating a system it seeks to expand.
2. It will immediately start to encrypt the data inside.

A Cybereason analysis of the malware used by RansomEXX identified that this family of ransomware has been in use since 2018. Although, initially, RansomEXX used vulnerabilities in Windows, a variant for Linux began to be registered in mid-2020. The latter was identified by Kaspersky Lab.

Security analysts call this type of attack ‘big-game hunter ‘ or human-operated ransomware. They are groups that look to large organizations to collect large rewards, knowing that there are companies or government agencies that cannot afford the cost of being idle while their systems recover.

In the case of CNT, the external attack occurred on July 14. That same day the company received a ransom request, the Minister explained. “After her (the request), the CNT has not received any request for ransom (…). No information has been seized; no money has been discussed. There is no type of negotiation in progress,” he said.

For the official, the ends would not be economic and said that the Prosecutor’s Office must investigate the true motivations.

As cryptocurrencies are an anonymous exchange method, it is usually the means of payment with which attackers request ransoms. The mechanism has become so common that the United States even decided in early June to give ransomware attacks a priority similar to terrorist activities, in order to have more resources to combat potential threats.

This new rating for ransomware hacks followed a major attack on a US pipeline, which left much of the country’s southeast coast without fuel for several days. According to Chainalysis, in 2020 the value of cryptocurrencies received by ransomware addresses amounted to USD 406 million.