3rd Party Risk Management , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Security Firm Prosegur Hit By Ryuk Ransomware

Incident May Have Disrupted Networked Security Cameras
Security Firm Prosegur Hit By Ryuk Ransomware
Source: Prosegur

Global security company Prosegur says that Ryuk ransomware caused an outage on Wednesday, which some people claimed hampered networked alarms.

See Also: The Cost of Underpreparedness to Your Business

In a tweet, the company says the ransomware “has been fully contained and the company has already deployed all the necessary mitigatory controls. Likewise, Prosegur has already begun the process of restoring its service.”

Madrid-based Prosegur didn’t detail the ransom demanded by its Ryuk-wielding attackers or whether company officials have considered paying it. Some cyber insurance policies will cover the cost of paying all or part of a ransom. But many security experts and law enforcement officials warn that paying ransomware drives cybercriminals to continue such attacks.

Prosegur offers a variety of security services, including guards and armored vehicles for moving cash. It also develops alarm systems, security monitoring applications and cash-handling systems. The company is a large player globally, sporting more than 170,000 employees.

Alarm Trouble

Prosegur’s website went offline on Thursday but it’s now back online, says U.K. security researcher Kevin Beaumont.

The incident may have disrupted networked alarm systems. Beaumont tweeted screenshots of tweets from users who appeared to be reporting difficulty.

The company has remained oblique about the broader effects of the attack. Efforts to reach a Prosegur spokesperson on Friday outside of business hours were not immediately successful.

Investigation Underway

In its Twitter statement, Prosegur says it has “initiated an investigation in order to determine the typology of the incident, its behavior, evaluation of the scope and definition of containment and recovery procedures, all of the them included in a response plan for incidents of information security.” The company says it has established a multidisciplinary team to investigate.

Prosegur also noted that the Ryuk ransomware has hit other organizations in Spain over the past few months. In fact, Ryuk has taken a toll worldwide this year (see 11 Takeaways: Targeted Ryuk Attacks Pummel Businesses).

The U.S. Department of Health and Human Services warned on Aug. 30 of the threat Ryuk poses to healthcare organizations. Ryuk infections often carry a ransom demand of between 15 to 50 bitcoins - worth $114,000 to $380,000 as of Friday - according to Check Point Software Technologies research cited by HHS. Check Point and other security companies believe Ryuk is has been derived from the Hermes ransomware (see Alert: 'Ryuk' Ransomware Attacks the Latest Threat).

Ryuk-wielding attackers typically target victims via malicious emails, which oftentimes drive them to sites hosting exploit kits, HHS says. Such exploit kits typically try to attack the computer using various software vulnerabilities. If those flaws get successfully exploited, the exploit kit can install and execute malicious code - such as ransomware - on the targeted system.

Cybersecurity firm CrowdStrike believes that Ryuk is run by a group - dubbed “Wizard Spider” in CrowdStrike parlance - likely operating from Russia. That same group has been tied to Trickbot malware, which is an advanced banking Trojan that’s been around for at least three years, the security firm says (see TrickBot Variant Enables SIM Swapping Attacks: Report).

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.