After suffering a ransomware attack by the Hive operation, the Bank of Zambia made it clear that they were not going to pay by posting a picture of male genitalia and telling the hackers to s… (well, you can use your imagination).
Last week, the Bank of Zambia, the country's central bank, disclosed that recent technical outages resulted from a cyberattack.
"The Bank of Zambia wishes to inform members of the public that it experienced a partial disruption to some of its Information Technology (IT) applications on Monday 9th May 2022," disclosed the bank in a press release.
"The disruption, which affected some systems at the Bank such as the Bureau De Change Monitoring System and the Website, emanated from a suspected cybersecurity incident. We wish to advise that these systems have since been fully restored."
A texticular response
While the Bank of Zambia did not disclose the details of the cyberattack, BleepingComputer learned that the attack was conducted by the Hive ransomware operation, which claimed to have encrypted the bank's Network Attached Storage (NAS) device.
However, instead of paying the ransom, the bank representatives responded to the ransom negotiation by making fun of the hacker's '14m3-sk1llz.'
They then proceeded to post a link to a dick pic while stating, "suck this dick and stop locking bank networks thinking that you will monetize something, learn to monetize."
When BleepingComputer saw this chat on Monday, it was assumed that unrelated individuals hijacked the negotiation chat, which we have seen numerous times in the past.
This chat led security researcher MalwareHunterTeam to post a poll asking whether people felt pics like this in a ransom negotiation meant it was hijacked or the message was from the victim.
The poll results were surprising, with the majority of responders saying it was from the victim.
If dick pics appears in a payment site page / chat for a victim of a ransomware gang, it means that:
— MalwareHunterTeam (@malwrhunterteam) May 16, 2022
A: some idiot got access to the chat
B: the victim not plans to pay the ransom and so sending some "kind" message the to actors.
Today, Bloomberg reported that the Bank's Technical Director, Greg Nsofu, said they had protected the bank's core systems, so it was not necessary to engage with the threat actors.
However, Nsofu said, "So we pretty much told them where to get off," confirming that it was someone affiliated with the bank who responded to Hive.
The bank’s response to the threat actors may not be the proper method for all organizations, but they should be lauded for making it clear that they would not give in to the attackers’ demands.
While ransomware remains a massive problem for enterprise and home users alike, the best way to end this scourge is simply not to pay ransoms and recover from backups.
Couple non-payment with increased law enforcement action and government sanctions, we will hopefully see ransomware operations slowly fade away.
BleepingComputer has contacted the Bank of Zambia with further questions about this incident but has not received a response.
Comments
zamroni - 1 year ago
The most basic anti malware defences are up to date antivirus and security patches.
Don't ever think you know your software better than the manufacturers who make the patches and hackers who attack unpatched systems
yawnshard - 1 year ago
Snakeoil and patches won't protect you from the 0days ever fixed one update later on next month. I'd use backups that are forcibly taken offline. An airgapped robot in a tape library performing overnight backups and moving the cartridges into an archive. Safety is a function of how many backups you can financially afford and check not to be compromised. Where compromised is a function of: "Did all my file hashes suddenly change?" -> encrypted!
EndangeredPootisBird - 1 year ago
The problem is that signatures and virus databases can only do so much, theres many cases of malware remaining completely undetected for years.
Also, technologies like AI/ML, sandboxing, etc, can be easily defeated:
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
The only and most secure way to be protected is by running an default deny approach, be it if youre running an business or an private home user, only allowing pre-approved files and scripts to run, and for businesses to use an zero trust approach to ensure the employees login from locations and access things they are known to.
GoboFraggel - 1 year ago
This is the answer. Immutable storage array. I use a flash array which takes snapshots every 5 minutes (stored for 30 days). If a hacker encrypts our data and deletes the snapshots we know immediately and I have 15 days (configurable based on your needs) to undelete the snapshots and restore our data. Restore process is a few minutes. No one, not even me can bypass this timer. This works because it is based on live data and no one can quietly encrypt live data without users complaining that they cannot work. This storage is also backed to immutable cloud storage with a retention of 7 years. I feel this is the key for now. Your solution must be based on live data, not backups which can be erased or tampered with so they are not actually backing up. Even offline air gapped backups do not meet our RPO/RTO.
GoboFraggel - 1 year ago
I use a flash array which takes snapshots every 5 minutes (stored for 30 days). If a hacker encrypts our data and deletes the snapshots I have 15 days (configurable based on your needs) to undelete the snapshots and restore our data. No one, not even me can bypass this timer. This works because it is based on live data and no one can quietly encrypt live data without users complaining that they cannot work. This storage is also backed to immutable cloud storage with a retention of 7 years. I feel this is the key for now. Your solution must be based on live data, not backups which can be erased or tampered with so they are not actually backing up. Even offline air gapped backups do not meet our RPO/RTO.
NoneRain - 1 year ago
"Couple non-payment with increased law enforcement action and government sanctions, we will hopefully see ransomware operations slowly fade away".