Pierluigi Paganini
September 10, 2020
Equinix, one of the leaders in the global colocation data center market share, with 205 data centers in 25 countries on five continents, was hit by Netwalker ransomware operators.
The popular cybercrime gang is demanding a $4.5 million ransom for a decryptor and to prevent the release of the stolen data.
The company disclosed the incident in a statement published on its website, it confirmed the ransomware attack that hit many internal systems, fortunately, the main core of its services to the customers was not impacted unaffected.
“Equinix is currently investigating a security incident we detected that involves ransomware on some of our internal systems.” reads the statement.
“Our data centers and our service offerings, including managed services, remain fully operational, and the incident has not affected our ability to support our customers.”
The ransom note employed in this attack was specifically crafted for Equinix and includes a link to a screenshot of the stolen data.
The screenshot shared by the Netwalker ransomware operators shows folders from infected systems allegedly containing company data, including financial information and data center reports.
The Netwalker ransomware gang is asking the victims to contact them within 3 days to avoid the leak of the stolen data.
Below the text of the ransom note shared by BleepingComputer.
“LOOK AT THIS SCREENSHOT https://prnt.sc/[redacted]
IF YOU NOT CONTACT US WE WILL PUBLISH YOUR DATA TO PUBLIC ACCESS. YOU CAN TAKE A LOOK AT OUR BLOG [redacted]
YOU HAVE 3 DAYS TO CONTACT US OR WE WILL MAKE POST IN OUR BLOG, CONTACT ALL POSSIBLE NEWS SITES AND TELL THEM ABOUT DATA BREACH “
The ransom note also includes a link to the Netwalker Tor payment site, threat actors are demanding a $4.5 million ransom (455 bitcoin). If the company will not pay in time, the ransom would double.
The latest timestamp on the folders is 9/7/20, a circumstance that suggests the security breach took place recently.
“Note that as most customers operate their own equipment within Equinix data centers, this incident has had no impact on their operations or the data on their equipment at Equinix.” concludes the statement. “The security of the data in our systems is always a top priority and we intend to take all necessary actions, as appropriate, based on the results of our investigation.”
Netwalker ransomware gang is very active in this period, in a few days it announced the hack of K-Electric, the major Pakistani electricity provider, and Argentina’s official immigration agency, Dirección Nacional de Migraciones.
Another victim of the group is the University of California San Francisco (UCSF), who decided to pay a $1.14 million ransom to recover its files.
Recently the FBI has issued a security alert about Netwalker ransomware attacks targeting U.S. and foreign government organizations.
The feds are recommending victims, not to pay the ransom and reporting incidents to their local FBI field offices.
The flash alert also includes indicators of compromise for the Netwalker ransomware along with mitigations.
The FBI warns of a new wave of Netwalker ransomware attacks that began in June, the list of victims includes the UCSF School of Medicine and the Australian logistics giant Toll Group.
The Netwalker ransomware operators have been very active since March and also took advantage of the ongoing COVID-19 outbreak to target organizations.
The threat actors initially leveraged phishing emails delivering a Visual Basic Scripting (VBS) loader, but since April 2020, Netwalker ransomware operators began exploiting vulnerable Virtual Private Network (VPN) appliances, user interface components in web apps, or weak passwords of Remote Desktop Protocol connections to gain access to their victims’ networks.
Recently the Netwalker ransomware operators were looking for new collaborators that can provide them with access to large enterprise networks.
Below the recommended mitigations provided by the FBI:
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Netwalker)
[adrotate banner=”5″]
[adrotate banner=”13″]
