Telkom has fallen victim to the group behind the Sodinokibi ransomware, also known as REvil, security researchers have told MyBroadband.
The group has taken responsibility for an attack on Telkom and has threatened to leak the Telkom client database in a post on its the Dark Web blog.
Bleeping Computer recently reported that the REvil / Sodinokibi group is one of several ransomware operators that steals sensitive data from victims and leaks it on the dark web if their targets don’t give in to their extortion demands.
The group has recruited a team of affiliates who carry out attacks on corporate networks.
One security researcher, who goes by Ransom Leaks on Twitter, told MyBroadband that Sodinokibi is a “ransomware as a service” platform.
“Hackers actually sign up as partners or affiliates and deploy this ransomware. When a victim pays for decryption the partner gets like 60% of the ransom,” the researcher said.
“This leaking is part of the platform’s service to its partners to help them win more payments.”
Ransom Leaks speculated that the Sodinokibi / REvil affiliate could easily have tried to extort $1 million (USD) out of Telkom.
“This ransomware group is known to go ‘Big Game Hunting’, so the ransom could be quite large.”
Attack on Telkom
These further reports that Telkom was indeed the victim of a ransomware attack come after the company denied that its systems had been infected with ransomware.
Telkom later amended its official statement to say that it did not have the PonyFinal ransomware.
This followed industry speculation that Telkom fell prey to the PonyFinal ransomware, for which Microsoft Security Intelligence issued an alert on 27 May.
Industry sources told MyBroadband that downtime across several Telkom systems over the weekend, including its call centre, was due to a ransomware attack.
Staff working remotely were unable to connect to servers or the Telkom virtual private network.
However, Telkom told MyBroadband that it was just dealing with a malware infection, not ransomware.
Telkom said that it became aware of an internal malware infection on Friday, 29 May 2020, and shut down all systems and call centres as a precaution. Its network remained operational during this time, Telkom said.
Some systems were restored on Saturday, though Telkom’s call centres remained offline. By Monday, Telkom announced that its call centres were back online.
Brett Callow, a threat analyst with Emsisoft, said that Telkom’s statement that it was not infected with ransomware may be accurate even if REvil is responsible for the attack.
“Actors typically have access to a network for days, weeks or even months attempting to deploy ransomware and use that time to move laterally through the network and, in some cases, steal data,” Callow said.
“It’s possible that REvil was able to exfiltrate some data, but Telkom noticed and neutralized the attack prior to ransomware being deployed and having important files encrypted.”
Stolen Telkom data will be leaked slowly – Researcher
Currently, the Sodinokibi blog on the dark web only contains a placeholder for the Telkom attack.
“They have never taken credit for something they didn’t do,” Ransom Leaks told MyBroadband.
The researcher explained that the group will publish some samples of the Telkom client database, followed by multiple rounds of leaks.
“They will give Telkom more time to pay to stop the future leaks by breaking it into multiple leaks.”
Telkom acknowledged MyBroadband’s request for comment and said it would provide feedback as soon as it was able.