French telecommunications company Orange has confirmed that it suffered a ransomware attack this month that resulted in hackers accessing the data of 20 enterprise customers that were stored in a targeted server.
The ransomware attack on Orange first came to light when hackers using the Nefilim Ransomware announced on their website that they had gained access to data belonging to Orange through the company's "Orange Business Solutions" division.
When contacted, Orange confirmed to Bleeping Computer that it had indeed suffered a ransomware attack on the night of 4th July that compromised an internal IT platform dubbed "Le Forfait Informatique". The platform hosted data associated with around twenty SME customers and hackers were able to access the data. However, no other internal servers were affected.
"A cryptovirus-type computer attack was detected by Orange teams during the night of Saturday 04 July to Sunday 05 July 2020. Orange teams were immediately mobilised to identify the origin of this attack and has put in place all necessary solutions required to ensure the security of our systems.
"According to initial analysis by security experts, this attack has concerned data hosted on one of our Neocles IT platforms, "Le Forfait informatique", and no other service has been affected. However, this attack seems to have allowed hackers to access the data of around 20 PRO / SME customers hosted on the platform.
"Affected customers have already been informed by Orange teams and Orange continues to monitor and investigate this breach. Orange apologises for the inconvenience caused," the company said. It is not clear if hackers have demanded a ransom from Orange yet.
Organisations must put in place controls to prevent ransomware attacks
Commenting on the ransomware attack targeting Orange, Javvad Malik, Security Awareness Advocate at KnowBe4, says that the attack highlights the ongoing move by criminals to exfiltrate data as part and parcel of a ransomware campaign.
"Therefore, it makes it even more essential that organisations put in place controls to prevent the attack from being successful, as even if they have backups from which they can restore, this won't bring back data that has been stolen.
"As part of this, organisations should implement a layered defensive strategy, in particular against credential stuffing, exploitation of unpatched systems, and phishing emails which are the main source of ransomware. This includes having technical controls, the right procedures, and ensuring staff have relevant and timely security awareness and training," he adds.
According to security firm Trend Micro, the Nefilim Ransomware that was used to target Orange, was discovered in March this year and is most likely distributed through exposed Remote Desktop Protocol (RDP).
In a report, the firm said that Netfilim uses AES-128 encryption to encrypt victim’s files and its code is very similar to that of the Nemty 2.5 ransomware, except that Netfilim does not feature the Ransomware-as-a-Service (RaaS) component. The ransomware is also capable of managing payments via email communication rather than through a Tor payment site and files encrypted by it can only be decrypted by using an RSA private key.