Ransomware attack targets cybersecurity company Cygilant

7 Sep 2020

Image: © gargantiopa/Stock.adobe.com

Cygilant confirmed it was subject to a ransomware attack and is now working with third-party forensic investigators and law enforcement.

Cygilant, a threat detection and cybersecurity business with offices in Boston and Belfast, has confirmed that it was subject to a ransomware attack.

In a statement to TechCrunch, Cygilant’s chief financial officer, Christina Lattuca, said: “Our cyber defence and response centre team took immediate and decisive action to stop the progression of the attack. We are working closely with third-party forensic investigators and law enforcement to understand the full nature of the attack.”

Lattuca said that the company is “committed to the ongoing security” of its network and to continuously strengthening all aspects of its security programme. The company did not confirm whether it has paid the ransom.

Cygilant recently opened a security operations centre in Belfast, with plans to create 65 new jobs and an information security team responsible for monitoring, analysing and responding to cybersecurity incidents on customers’ behalf. The company employs more than 100 people globally and its cybersecurity work focuses on sectors such as finance, education, healthcare and retail.

NetWalker ransomware

Brett Callow, a ransomware expert and threat analyst from Emsisoft, suggested that the cyberattack was caused by NetWalker ransomware, which can be rented by threat groups through a ransomware-as-a-service (RaaS) model on the dark web. The file-encrypting malware scrambles a target’s files and exfiltrates the data to the hacker’s servers.

According to McAfee, this type of ransomware first appeared in August last year but has seen a “strong uptick” in use in recent months. It added that the group behind NetWalker is similar to those behind Maze and REvil ransomware, in that it threatens to publish victims’ data if ransoms are not paid.

McAfee said NetWalker RaaS “prioritises quality over quantity” and is looking for Russian-speaking internet users who have experience with large networks. “People who already have a foothold in a potential victim’s network and can exfiltrate data with ease are especially sought after. This is not surprising, considering that publishing a victim’s data is part of NetWalker’s model.”

Screenshots of what are believed to be Cygilant’s internal network files and directories have reportedly appeared on the dark web site associated with the NetWalker group. At the time of TechCrunch’s report, the files had been deleted which, according to Callow, often happens when a company has agreed to pay a ransom or negotiate with hackers.

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com