Pierluigi Paganini November 29, 2019

According to a confidential report from the Dutch National Cyber Security Centre (NCSC), at least 1,800 companies were infected with 3 ransomware.

A confidential report published by the Dutch National Cyber Security Centre (NCSC) revealed that at least 1,800 companies are affected by three strains of ransomware across the world.

According to the report, the three ransomware LockerGoga, MegaCortex, and Ryuk) involved in the attacks were sharing the same infrastructure.

The NCSC did not name the companies infected with the ransomware, it only revealed that hackers targeted organizations having revenues of millions or billions.

The companies are from various industries, including the automotive industry, construction, chemical, health, food, and entertainment.

“Various Dutch companies have been hit by advanced hostage software. This appears from a confidential report from the National Cyber ​​Security Center, which is in the hands of the NOS.” reads The Dutch Broadcast Foundation (NOS) website. 

“Which companies are involved is unknown, as is the number of affected Dutch companies. Worldwide there are at least 1800 affected companies and the number of Dutch companies is a relatively small part, writes the NCSC.”

The NOS confirmed that Dutch branches of multinationals have also targeted by the ransomware-attacks, including an American chemical company that is a supplier of critical infrastructure in the Netherlands.

“We conducted this investigation following disruptive ransomware attacks abroad,” said an NCSC spokesperson. 

The malware campaign likely began in July 2018, and NCSC experts speculate the attackers may have exploited zero-day vulnerabilities to spread the ransomware.

In May, security experts at Sophos discovered the MegaCortex ransomware while it was targeting corporate networks. At the time, MegaCortex attacks were reported in the United States, Italy, Canada, France, the Netherlands, and Ireland.

LockerGoga was first spotted earlier in January, it was initially discovered after attacks were launched against European companies, such as Altran Technologies in France and also Norsk Hydro.

The list of victims of the Ryuk ransomware is long, it includes hospitals, municipalities, and private businesses.

The fact that the three ransomware families were using the same infrastructure and leveraged zero-day exploit to infect systems suggests that the attacks were conducted by a group of well-resourced same cybercriminals. The use of a shared infrastructure could also suggest that someone is offering it as a service.

Experts also warn that some ransomware also exfiltrates data from infected systems before encrypting their files with the intent to resell the information on the dark web or blackmail twice the victims once that will pay the ransom.

NCSC recommends organizations to be vigilant on potential threats. “Companies still do not take all basic measures,” a spokesperson said via email. “Run updates, make sure your staff are aware of the digital threats and make backups.”

Pierluigi Paganini

(SecurityAffairs – malware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]