Ransomware attack hit Ukraine energy ministry website

Cyber attack on Ukraine’s energy ministry shows that websites remain a weak point for many organisations online, say security experts

Cyber attackers have targeted the website of Ukraine’s energy and coal ministry, but the websites of state-run energy companies have not been affected.

As of 7.34am GMT, a message posted in English on the website demanded a ransom paid in bitcoin to recover encrypted files, reports Reuters, quoting a ministry spokeswoman.

“Our specialists are working on it right now. We do not know how long it will take to resolve the issue,” the spokeswoman said.

Commenting on the attack, James Brown, global vice-president, technology solutions, at Alert Logic, said websites continued to be the “soft underbelly” of any organisation on the internet. 

“Luckily, in this case, it is an attack against the energy ministry website rather than an attack against the energy grid itself. However, it does raise the issue that even high-profile government ministries can be targeted,” he said, adding that it was a high-profile embarrassment for a government department to be caught out in this way.

Chris Doman, security researcher at AlienVault, said that while attacks against Ukraine had impersonated ransomware before to cover their true aim of pure destruction, and in many cases energy companies such as this have been a prime target, this case appear to be something more mundane.

“Ransomware is set to feature heavily in future attacks, both in terms of its ability to generate funds for those behind it, as well as for its disruptive capabilities that can distract ahead of other types of attacks”
Lee Munson, Comparitech

The attacker, who is using the handle “Zakaria”, appears to have given the ministry a time limit to pay the ransom of 0.1 bitcoin (£665), but has provided instructions on how to pay the ransom, with the option of contacting the attacker via a Gmail account.

According to Doman, the payment address supplied has received payments for presumably previously compromised sites in 2017.

“What has probably happened here is that a hacktivist has hacked the site for fun, then the criminal ransomware attacker has used their backdoor to try to make some money.

“They appear to have done the same with a Russian website, faneurope.ru, where a hacktivist reported hacking the site, but then someone else added their ransomware payment screen to it,” he said.

Lee Munson, security researcher at Comparitech, said it was difficult at this stage to tell whether the ransomware attack was targeted or random.

“However, I suspect the truth may be more to do with the potential financial return from a random ransomware attack, with the ministry simply being the most high-profile successful target.

Read more about ransomware

“Whatever the truth, ransomware is set to feature heavily in future attacks, both in terms of its ability to generate funds for those behind it, as well as for its disruptive capabilities that can distract ahead of other types of attacks,” he said.

Commenting on ransomware attacks in general, Eva Prokofiev, senior threat intelligence analyst at CyberProof, said such attacks were relatively easy to build and execute, and they could have a very good return for threat actors.

“Any organisation looking to protect their digital assets from ransomware should ensure they are adequately communicating the threat to board members and executives to ensure proper investment in proactive cyber defence, rather than wait for the company to come under attack,” she said.

Mark James, security specialist at ESET, said ransomware attacks not only caused extreme disruption, but in some cases, could also mean the loss of personal or private files forever.

“Any organisation that opts to pay the ransom should understand that their money could end up funding further illegal, illicit services or products, and because they have let the attackers know they are willing to pay, they are also highly likely to receive further attacks.

“Any organisation that opts to pay a ransom should understand that their money could end up funding further illegal, illicit services or products, and because they have let the attackers know they are willing to pay, they are also likely to receive further attacks”
Mark James, ESET

“Offline or hardware point-in-time backups are the only 100% way to recover from a ransomware attack. Yes, you might get your files back if you pay the ransom, and yes, you might be lucky enough to win the lottery tonight, but sadly the odds are not in your favour,” he said.

Earlier this week, it emerged that the US city of Atlanta spent more than $2.6m on emergency efforts to respond to a ransomware attack that destabilised municipal operations in March.

The attackers reportedly used SamSam ransomware to infect the city’s IT systems and demanded payment of around $50,000 in bitcoin to restore them, but then appeared to have taken the payment portal offline before the city had chance to pay, according to Wired.

The high cost of recovering from the attack further underlines the importance of ensuring that organisations’ IT systems are protected from ransomware attacks through good cyber security practices such as an efficient patching regime, network segmentation and making regular, tested backups of all data.

Read more on Hackers and cybercrime prevention