Greece's public postal service offline due to ransomware attack

ELTA, the state-owned provider of postal services in Greece, has disclosed a ransomware incident detected on Sunday that is still keeping most of the organizations services offline.

An initial statement about the attack came on Monday, when ELTA announced the cause of a service disruption, claiming that its immediate response and isolation of the entire data center has helped mitigate the impact.

In a new announcement today, the organization has shared more details about the incident and updated its customers about the extent of the service outages.

More specifically, its IT teams have determined that the threat actors exploited an unpatched vulnerability to drop malware that allowed access to one workstation using an HTTPS reverse shell.

The ultimate goal of the cyberattack, according to today's press release, was to encrypt systems critical to ELTA's business operation. The organization does not mention anything about a ransom demand.

Bleeping Computer has reached out to the organization for more details about the attack but our repeated attempts have remained unanswered.

Since most ransomware attacks these days come with a data theft component, the threat actors might have had access to customer names, addresses, and even payment details, but this has not been confirmed.

The Greek consumer data protection authority has been informed accordingly, so if there has been a data breach, it will be determined independently.

Country-wide service disruption

Currently, ELTA can't offer services of mail post, bill payments, or process any form of financial transaction order. The organization has no estimate of when these services will be made available again.

On the ELTA Facebook page, users are also reporting problems tracking their parcels and not having access to the web labeling services.

At this time, the agency's IT teams are thoroughly examining more than 2,500 computers, installing security software tools, and ensuring that all malicious payloads have been uprooted before they re-integrate them into the network.

The presence of a single backdoor may give threat actors access to ELTA's entire corporate network through lateral movement, attempting large-scale encryption again.

Until all systems have been checked and services return to normal, the agency has advised customers to use its subsidiary instead, ELTA Courier, which has not been impacted by the cyberattack.