The ransomware group has leaked stolen data to add pressure on the company to pay up.
Advantech, the chip manufacturer, has confirmed that it received a ransom note from a Conti ransomware operation on Nov. 26 demanding 750 Bitcoin, which translates into about $14 million, to decrypt compromised files and delete the data they stole.
Just to let Advantech know they weren’t bluffing, the scammers published a list of files from a stolen .zip archive on their leak site. The ransom note claimed that the 3.03GB of data posted on the leak site accounted for about 2 percent of the total amount of data lifted ripped off from Advantech.
Advantech specializes in internet-of-things (IoT) intelligent systems, Industry 4.0, machine automation, embedded computing, embedded systems, transportation and more.
A statement provided to Bleeping Computer on behalf of Advantech acknowledged the attack and said “the stolen data was confidential but only contained low-value documents.” The statement added that the company is recovering and “functioning normally,” and will not be commenting on whether the ransom was paid.
Ransomware Leak Sites
Professionalized ransomware groups including Conti, Ragnar Locker, Maze, Clop and others have been exploiting security holes created by the emergency shift to remote work due to the pandemic, coupled with well-publicized leak sites to wreak havoc and wring millions out of unsuspecting companies like Advantech. And in the case of Advantech, the longer it waits to decide, the more expensive the ransom gets.
“In August 2020, the Conti ransomware group created a data leak website, called Conti.News, following the trend of other highly successful ransomware variants, such as Maze, Sodinokibi and NetWalker,” Digital Shadows threat researcher Kacey Clark told Threatpost. “The group’s ransom demands require victims to make their payments in Bitcoin, and for each day a victim does not contact the attackers, the ransom demand increases by BTC 0.5.”
Clark added that Conti ransomware was likely developed by the same group behind Ryuk ransomware.
“Ryuk version 2 code and Conti ransomware code maintain notable similarities, the Conti ransom note uses the same template utilized in early Ryuk ransomware attacks and Conti ransomware operators appear to leverage the same TrickBot infrastructure used in Ryuk ransomware attacks,” she said.
Kaspersky researchers released a report Monday that said ransomware will be one of cybersecurity’s biggest threats in the year ahead, and pointed specifically to leak sites as the single biggest factor driving up ransom prices.
“Due to their successful operations and extensive media coverage this year, the threat actors behind targeted ransomware systematically increased the amounts victims were expected to pay in exchange for not publishing stolen information,” Kaspersky researchers said. “This point is important because it is not about data encryption anymore, but about disclosing confidential information exfiltrated from the victim’s network. Due to payment card industry security and other regulations, leaks like this may result in significant financial losses.”
It’s up to organizations to shore up their defenses in preparation for the next inevitable ransomware attack, researchers noted.