Ukraine's energy and coal ministry website has been hit by a ransomware attack demanding Bitcoin to recover encrypted files according to a report from Reuters citing Ukrainian cyber police spokeswoman Yulia Kvitko.
She confirmed that it was only the ministry site impacted, and not those of the state energy companies, commenting: “Ukrenergo, Energoatom - everything is okay with their sites, it's only our site that does not work.”
Although a ransom was demanded, purely disruptive cyber-attacks on Ukrainian infrastructure have become commonplace, with the authorities blaming Russia, which routinely denies involvement.
Chris Doman, security researcher at AlienVault also points out that attacks against Ukraine have impersonated ransomware before, to cover their true aim of pure destruction, and that in many cases, energy companies have been a prime target but adds, “However, in this case - the evidence points to something more mundane.
“The site http://www.mev.gov[.]ua/ still shows as compromised.
“The payment address has received payments for presumably previously compromised sites in 2017 (https://blockchain.info/address/1MjMSV1TSJ5eyAUg4nY98k19FrntRYZ8gm) - it looks like they made about £100 for their efforts.
“However, unusually the website also includes the contact details and “tag-sign” of a hacker that compromised the site.
“What has probably happened here is that a hacktivist has hacked the site for fun, then the criminal ransomware attacker has used their backdoor (which you can see at the bottom of the page) to try and make some money.
“They appear to have done the same with a Russian website ( faneurope[.]ru ), and you can see a hacktivist reported hacking the site then the same criminal attacker added their ransomware payment screen to it - http://www.zone-h.org/mirror/id/30823922 .”
Eva Prokofiev, senior threat intelligence analyst at CyberProof, says in an email to SC Media UK: “Ransomware attacks are relatively easy to build and execute and they can have a very good return for threat actors. Any organisation looking to protect their digital assets from ransomware should ensure they are adequately communicating the threat to board members and executives to ensure proper investment in proactive cyber defence, rather than wait for the company to come under attack.”
Mark James, security specialist at ESET, adds: “Ransomware attacks are one of the most talked about malware forms doing the rounds today. The threat not only causes extreme disruption but in some cases can also means the loss of personal or private files forever.
Any organisation that opts to pay the ransom should understand that their money could end up funding further illegal illicit services or products, and because you have let the attackers know you are willing to pay, you are also highly likely to receive further attacks.
Offline or hardware point-in-time backups are the only 100 percent way to recover from a ransomware attack. Yes, you might get your files back if you pay the ransom and yes you might be lucky enough to win the lottery tonight but sadly the odds are not in your favour.”
James Brown, global vice president, technology solutions at Alert Logic, echoes the same theme, noting: “Websites continue to be the soft underbelly of any entity on the internet. Luckily, in this case, it is an attack against the energy ministry website rather than an attack against the energy grid itself. However, it does raise the issue that even high profile government ministries can be targeted. Ransomware was very much in the press over the last two years, however we are seeing a move away from ransomware to cryptocurrency mining which is proving to be more profitable for criminals than trying to extort money by encrypting files. However it is a high profile embarrassment for a government department to be caught out like this.”