RansomHub Ransomware Hits Timor Telecom, Exfiltrates 18GB Data
Incident Date:
August 30, 2024
Overview
Title
RansomHub Ransomware Hits Timor Telecom, Exfiltrates 18GB Data
Victim
Timor Telecom
Attacker
Ransomhub
Location
First Reported
August 30, 2024
RansomHub Ransomware Attack on Timor Telecom
Timor Telecom, the primary telecommunications provider in Timor-Leste, has recently fallen victim to a ransomware attack orchestrated by the RansomHub group. The cybercriminals claim to have exfiltrated 18 GB of sensitive data, marking a significant breach in the company's cybersecurity defenses.
About Timor Telecom
Established in 2002, Timor Telecom, S.A. (TT) is headquartered in Dili and serves as the main telecommunications operator in Timor-Leste. The company offers a range of fixed and mobile services, covering approximately 92% of the population with GSM mobile services. Despite its extensive reach, the company has faced challenges, particularly in providing affordable and reliable internet services, which are primarily delivered through mobile data due to the high costs of fixed-line broadband.
Company Size and Market Position
Timor Telecom employs between 201 and 500 people and has a customer base exceeding 600,000 subscribers. The company was initially formed as part of a consortium led by Portugal Telecom and has played a crucial role in rebuilding the telecommunications infrastructure in Timor-Leste following the 1999 independence crisis. Timor Telecom's significant market presence and its role in the nation's connectivity make it a standout player in the telecommunications sector.
Vulnerabilities and Attack Overview
The attack on Timor Telecom underscores the vulnerabilities inherent in critical infrastructure sectors. The company's reliance on satellite communications for internet services, coupled with the high costs and slow response times, may have contributed to its susceptibility to cyber threats. The RansomHub group, known for its aggressive and adaptable ransomware-as-a-service (RaaS) model, exploited these vulnerabilities to infiltrate Timor Telecom's systems.
About RansomHub
RansomHub emerged as a prominent RaaS group in early 2024, quickly establishing itself through a combination of double extortion tactics and a highly efficient affiliate model. The group targets high-value sectors, including healthcare, financial services, and government, leveraging advanced data exfiltration techniques and fast encryption processes. RansomHub affiliates typically use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access to their targets.
Penetration Methods
RansomHub's penetration into Timor Telecom's systems likely involved exploiting unpatched vulnerabilities and employing phishing tactics. The group's ransomware is optimized for cross-platform systems, including Windows, Linux, and ESXi, and uses Curve 25519 elliptic curve encryption to secure unique keys per victim. This sophisticated approach allows RansomHub to execute multi-phase attacks, including network reconnaissance, privilege escalation, and data exfiltration, before encrypting files.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.