Telstra dealer Schepisi Communications has been knocked offline by a ransomware group that is sustaining a distributed denial of service (DDoS) attack against its website.
The Melbourne-based business was featured on the Avaddon ransomware group’s dark web leak site this week with the cyber criminals threatening to leak “valuable company documents” if Schepisi does not cough up the ransom.
“We have a large amount of data on mobile devices, tens of thousands of SIM cards and a lot of information for them, financial information, contracts, banking information and much more,” the ransom note said.
“Also remember that data cannot be decrypted without our general decryptor. And your site will be attacked by a DDoS attack.”
Schepisi’s website came back online on Wednesday afternoon. The company has not responded to Information Age’s requests for comment.
Featured on the leak site are images of internal documents including a spreadsheet listing phone numbers and their associated identifiers, like SIM and IMEI numbers, for enterprise customers such as Bunnings, Yamaha Australia, and Wesfarmers.
A Telstra spokesperson said the attack was isolated to Schepisi’s systems and should not affect Telstra customers.
“We are getting more information but don't believe any sensitive personal information was included,” Telstra said.
“Our specialist cyber security team are working closely with the dealer to help them resolve the issue.
“We employ strict guidelines for how our partners access and store customer data. No Telstra systems were breached as part of this attack.”
Schepisi was hit by the Avaddon ransomware group. Image: supplied
Avaddon strikes again
Schepisi is the third Australian organisation to be hit by Avaddon in recent weeks.
Victorian public high school, Newcomb Secondary College, was targeted by the group last week and still has the ransom warning on Avaddon’s leak site.
The Victorian Department of Education said it has been working with the school to fix the problem and that its early investigations show that files extracted by the extortionists are “not sensitive”.
Newcomb appears to also be suffering the effects of its DDoS attack, with its website currently featuring a banner saying it is a “temporary website set up to give any relevant information about the ransomware attack”.
Global architecture firm Farrells has also been victimised by Avaddon who featured the details about company’s Sydney offices on its leak site.
The company has employed DDoS protection from Cloudfare to mitigate the ongoing attack.
Evolving ransom threats
Matthew Westwood-Hill, principal investigator at Australian security company CyberCX, said Avaddon’s method of shutting down an organisation’s website was designed to force them to engage with the group.
“It’s another way of forcing a pressure point – one that’s very public facing – to bring the victim to the negotiating table,” he said.
“Not only does it impact their network by encrypting and stealing data, but now they are causing disruption in a much more public way.”
Avaddon likely leverages a bot network for its DDoS attacks, using a massive number of hijacked devices to send requests to the target website.
“People can use services like Cloudfare as a layer of protection to help prevent the automated DDoS attack process,” Westwood-Hill said.
“But you sometimes need to be careful. Obviously the threat actor group monitors the DDoS attack and if the victim moves to circumvent it, then the threat actors will see that as some level of a response and may escalate.”
If you find yourself attacked by ransomware, Westwood-Hill said, the important thing is not to panic.
“Victims tend to feel very alone in these situations but you are not alone,” he said.
“A lot of the time you can have the most sophisticated security and network infrastructure and still fall victim because of human error.”