Bretagne Télécom, a cloud service provider was hacked by DoppelPaymer, ransomware that exploited CVE-2019-19781 vulnerability in unpatched servers.
Bretagne Télécom is a French cloud hosting telecommunications company that provides a range of services like telephony, Internet and networking, hosting, and cloud computing services to roughly 3,000 customers with 10,000 servers.
Fortunately this is a success story with a happy ending, as the ransom attack was a failure with no data loss and no ransom paid. The company could restore the encrypted system and data from backups on Pure Storage FlashBlade arrays.
Around 30 TB data was encrypted
The attack took place in the first half of January, on the unpatched servers making them vulnerable to attack. The attackers started scanning the vulnerable servers from Jan 8 and attacked two days later. The company soon released patches to overcome the vulnerability with the final patch being published on January 24.
The DoppelPaymer’s operators infiltrated around 148 machines with data from “around thirty small business customers”, as Bretagne Télécom CEO Nicolas Boittin told LeMagIT.
The DoppelPaymer Ransomware hackers demanded a ransom of 35 bitcoins (~$330K) for decrypting the system. Ofcourse, the company restored the data and didn’t require the “decrypting services” from the hackers. Using the Pure Storage FlashBlade arrays’ Rapid Restore feature, Bretagne Télécom could restore all of the customer’s data.
“We found the time when the attackers installed the scheduled encryption tasks. Once these tasks and the malware were removed, we were able to return to operational conditions.”
“It is not the first time that this has happened to customers. But most of the time, they are self-managing, so we didn’t interfere,” Boittin added.
“Ransomware from our customers, there may not be one per month, but not far. And we never paid. I refuse to fuel a parallel economy where we would give pirates the means to improve their systems to attack us again.”
The company personally decrypted and stored data from each customer without a network, some even took six hours. They could efficiently tackle the attack by considering them as data breaches, most of the companies do that resulting in compromise of sensitive information even before the encryption takes place.