HACK ATTACK

SHUT DOWN: Online hackers have brought operations at Tatil Life Insurance, whose head office is on Maraval Road, to a screeching halt.  - SUREASH CHOLAI
SHUT DOWN: Online hackers have brought operations at Tatil Life Insurance, whose head office is on Maraval Road, to a screeching halt. - SUREASH CHOLAI

THE CARIBBEAN’S biggest conglomerate, Ansa McAl, is the victim of ransomware hackers holding some of the company’s IT systems hostage.

Newsday understands that work at Tatil, the country’s biggest insurer, has been effectively stalled for about two weeks as the IT department works to find and expel the ransomware from the company’s servers. If not, the company may have to pay the hackers’ ransom in order to free its data. In a statement late Tuesday evening, Ansa McAl said businesses were once again operational following a “security incident.”

It is unclear exactly what data and systems were compromised, but Newsday was told whatever was attacked is “very important (mission-critical) data that is crucial to Ansa’s operations.” Clients’ personal data was not compromised, Newsday was told.

In a tweet last Thursday, American cybersecurity specialist and ransomware recovery and prevention expert Eric Taylor (@ITSimplife) first noted the Ansa McAl attack. REvil, a criminal cybergang, has claimed responsibility.

The group says it has “numerous financial documentation, agreements, invoices, reports.” A screenshot of the hacked haul reveals a count of 17,000 documents. The group threatened, in the post that confirmed the hack, to release the confidential documents to a public server.

Newsday spoke with multiple sources in the Ansa McAl group, including Tatil, and was told that Japanese tech giant Hitachi has been retained to help with restoring the system.

Hitachi is scanning the system, Newsday was told, and staff have been advised not to do anything on the system until Hitachi gives the all-clear. Staff have been telling customers coming in with queries about claims that their server is down. Staff are unable to access any applications linked to the server and have been restricted basically to checking e-mail. “We are only now beginning to realise how serious it is,” said one person who did not work in the IT department.

BARBADOS

ORIGINS

The attack apparently began at Ansa’s operations in Barbados, specifically, the automotive sector. Berger Barbados was also affected. Newsday was told a ransom was paid in some of the Barbados instances, but was not told how much.

In a release on Saturday, Ansa McAl Barbados said it can confirm that some of its IT systems in Barbados “were down due to a security incident.

“As a precautionary measure, some of our services to customers and clients are unavailable. As we carefully work through the restoration process, we are taking prudent and measured steps to ensure the integrity of our systems. Our teams continue to work on this incident and towards returning services to our clients as our highest priority,” the statement said.

Newsday contacted Ansa McAl’s group corporate communications office in Trinidad for a response specifically to the local incident. In a statement e-mailed Tuesday evening, the company acknowledged there was a “security incident” relating to its IT systems.

“We would like to inform that some of our companies’ IT systems in Barbados were recently affected by a security incident. This issue also impacted Tatil and Tatil Life in Trinidad. Since then, our local IT teams, with the support of international resources have taken prudent and measured steps to ensure the integrity of our systems.

“Although there has been some moderate disruption in service, customers continue to be served at Tatil’s head office (in Port of Spain) and all branch locations. We expect the situation to be normalised over the next few days. We take the security of our IT systems extremely seriously and regret any inconvenience to our stakeholders.”

COPS: THREAT

NOT SERIOUS

Newsday also spoke with police sources to find out if the cyberattack had been reported to the Cybercrime Unit. One police contact in the Fraud Squad said when he asked about it, he was told a report had been made, but it was not considered “serious.”

“(Senior police) said they heard something along those lines of a cyberattack, but Cybercrime and Special Branch were handling it. They don’t know if it was a true threat, meaning that sometimes (if) a questionable software or occurrence happens in (a financial institution), (the institution) informs the police. A lot of the times, it doesn’t turn out to be a credible threat, it’s just something strange and it’s dealt with.”

The police officer said in terms of its being a cyberattack, he also didn’t think it was serious, because those are usually forwarded to his unit (Fraud Squad), but this one wasn’t.

“If there was an attack, it must have been very minimal, and more so the fact that we didn’t hear about it means it wasn’t anything substantial.”

RANSOMWARE

Ransomware, according to cybersecurity software company McAfee, is a type of malware (malicious software) that uses encryption to hold an individual or organisation’s information at ransom.

Critical data is encrypted so the victim cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyse an entire organisation, McAfee said.

It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses and governmental organisations.

Ransomware can be spread though phishing (scammer) e-mails and social media networks, including instant message applications, which can contain malicious attachments that infiltrate computer systems when they are downloaded and installed without the user being any wiser. It is difficult to purge. Systems, in most cases, may need to be wiped and rebuilt and data restored from a known, clean copy. REvil, also called Sodinokibi, the ransomware group, has been operating since June 2020.

– With reporting by Shane Superville and Mark Lyndersay

Comments

"HACK ATTACK"

More in this section