The logo created by the IT security company Talos for the "BlackCat" hacker group is emblazoned in front of a tourism image showing Lake Wörthersee. Image: watson / screenshots: talos / kaernten.at
The notorious ransomware gang ALPHV, aka «BlackCat», has struck in south-eastern Austria. However, those affected do not seem to realize what kind of opponent they are dealing with.
The Austrian state of Carinthia unexpectedly had to “go into emergency operation” on Tuesday. The reason: a ransomware attack on government IT systems.
Not only was the government of the federal state in southeastern Austria affected, it also affected the district administrations, the Court of Auditors and the Administrative Court.
The entire telephone system failed, and the internal e-mail system also stopped working. Around 3,900 employees and around 3,000 PC connections were directly affected because all computers were shut down as a precaution.
Leave for employees
The websites were not available for days and the website ktn.gv.at was accessed without success. The Carinthian government announced that it would keep the public up to date via an independent online service (OTS).
Since the authorities no longer had access to the digital files, administrative work had to be paused. Payments of social assistance benefits and appointments with the authorities were postponed at short notice. And even contact tracing was affected because of the attack.
State employees were encouraged to take vacations or work overtime. And they shouldn't show up for work after the driveway either, but take a "window day" (also called bridging day in this country).
5 million ransom
However, it is still unclear whether the more than 500,000 citizens of the southernmost part of Austria will get off lightly. Because it is still unclear whether the hackers managed to steal data.
The state government initially said:
"At the moment it is unlikely that data has been stolen or lost, but unfortunately we cannot rule it out."
Gerd Kurath, government spokesman
That is why the responsible data protection authority was informed, according to reports.
On Wednesday, the government spokesman confirmed that the international hacker group "Black Cat" had deposited a ransom note of five million dollars in Bitcoin.
The criminals claimed to have siphoned off or encrypted data. However, no information was found in this regard. And you don't want to pay and there are backups of "all relevant data".
«It will not be paid. The further procedure is now being coordinated with the State Office for the Protection of the Constitution and the police. There is currently no evidence that data has actually been siphoned off from the system."
Gerd Kurath, government spokesman
The problem: The criminals who act under the name "Black Cat" or ALPHV are one of the most dangerous and aggressive ransomware gangs ever. They belong to the “ransomware as a service” (RaaS) category. This means that they also offer their hacking tools and the associated infrastructure to third parties for a fee.
Ecuador's capital hacked
Not long ago, Black Cat attacked the capital of the South American country of Ecuador, Quito, and paralyzed the government's IT systems. Online services for the Ecuadorian population were disrupted or unavailable for several weeks. It was a "quiet and non-violent attack," wrote El Comercio, "but it damaged the entire capital."
The cyber attack on Quito happened "at dawn" on a Saturday, as reported by Swissinfo.ch. Just like the attack on the state of Carinthia.
Hackers were “in” for 10 days
The attack was noticed in Carinthia last Tuesday, May 24th. However, the hacker attack – the first intrusion into the network – took place on Saturday, May 14, according to an initial forensic investigation. This means the attackers had ten days to spy on the foreign network and view attractive targets.
Government spokesman Gerd Kurath commented on questions during a live stream on the Internet.screenshot: watson
According to the media release from Carinthia published on Friday, data were "not stolen by the hackers from the current perspective". And on Friday, there were (still) no indications of data publication on the Internet blackmailer's dark web site.
However, an expert assessment of the IT security company Talos on Black Cat gives reason to fear:
"An important aspect of these attacks is that the attackers take the time to survey the environment and prepare it for a successful and widespread attack before launching the ransomware, with every second of data loss."
ALPHV also hacked Swissport, among others:
Nico sends Marco high – fortunately with experienced skydivers:
The most dangerous cyber weapons and their consequences
1/15
The most dangerous cyber weapons and their consequences