Reports are emerging today that Media Prima Berhad, a public-listed Media powerhouse in Malaysia has had its systems locked out by a ransomware attack.
The report, quoting an inside source by the Edge Financial Daily claims that “the whole Media Prima group’s computer systems have been breached and infected with a ransomware over the last four days.” The report did not state the type of ransomware involved.
The report further states that the attackers have demanded 1,000 bitcoins (equivalent to around RM27.04 million or US$6.45 million) to release the affected systems. Media Prima has reportedly said that they will not pay the ransom, claiming that ‘only’ their email systems were affected, and they have already since migrated to Google’s GSuite mail which runs independent of their local machines.
However, like almost all ransomware attacks in the past, once compromised, the entire system is encrypted and locked out until the ransom is paid. The biggest loss, from a Ransomware attack is usually data and files stored on the individual computers. Rarely does a ransomware attack lead to a data breach.
There is also usually a timer attached to the Ransomware lock that ticks down to when the files becomes lost forever – when the Ransomware starts destroying all the keys required for decryption. Aside from offsite backups, there is virtually no alternatives available today to recover the files without paying the ransom – and once the keys are destroyed, the files are gone forever.
Based on the little information currently available, the Media Prima attack seems to be a targeted attack, and not just a simple random ransomware that found its way into their systems. First and foremost, Media Prima has confirmed that they have migrated to Google’s GSuite email system, which in itself does extensive scanning for known and also unknown malware and ransomware attachments. This would rule out the possibility of an employee accidentally opening a payload carrying attachment by mistake.
Secondly, the 1,000 bitcoin figure is a huge figure to be associated with the usual modus operandi of known ransomware creators. It is very likely that the ransomware was specifically engineered and targeted at a large organization like Media Prima. This would again point to an attack vector that either had access to the physical network, or was able to socially engineer an employee to deploy the payload from within the Media Prima network.
We are still waiting for an official statement from Media Prima Berhad on this issue.