Ransomware attack targets Israeli branch of Ness digital company

Ness has worked for over two decades to help organizations "develop and integrate the software products and digital platforms they rely on to lead their markets," according to the company's website.

The company formed in Israel following the merger of six Israeli IT companies.

The digital solutions company has worked with the IDF, Israel Aerospace Industries, Israel Post, the Israel Airport Authority and the Hebrew University, among other companies and government bodies.

According to Meyron, over 150 servers in Israel and about 1,000 servers outside of Israel are being scanned by McAfee in light of the attack. The managers of the company's India branch have reportedly begun managing the incident and have brought their insurer, AIG, into the picture.

A screenshot of the message displayed as part of the attack reads "Hello ness-digital-engineering! If you (sic) reading this message, it means your network was PENETRATED and all of your files and data has (sic) been ENCRYPTED by RAGNAR LOCKER!" The message instructs the company to contact a live chat provided in the message to resolve the case and "make a deal."

In November, the FBI warned that Ragnar Locker ransomware has been used against an increasing list of victims since it was first observed by the FBI in April 2020. The ransomware actors first obtain access to a victim's network and perform reconnaissance to locate network resources, backups and other sensitive files and manually deploy the ransomware and encrypt the victim's data, according to the FBI report.

The ransomware does not encrypt data if the victim's locale is found to be Azerbaijani, Armenian, Belorussian, Kazakh, Kyrgyz, Moldavian, Tajik, Russian, Turkmen, Uzbek, Ukrainian or Georgian, according to the FBI report.

Companies targeted by the ransomware include the Capcom gaming company and the Italian beverage company Campari Group. The hacking group behind Ragnar Locker has even taken out Facebook ads through hacked accounts in order to publicize their ransom attacks.

The FBI advised companies to back-up critical data offline and securely, install and regularly update anti-virus or anti-malware software, use multi-factor authentication and keep devices patched and up-to-date, among other measures.

Meyron stressed that cyber insurance is "a necessary tool in any assessment plan, but only after real assessments have been made and the organization understands and knows what it will need to do, depending on which triggers and schedules, to activate the playbook and respond correctly and effectively to the attack."

The cybersecurity consultant explained that insurance policies are rarely precisely tailored to the needs of the company and added that in the attack on Ness, the incident managers in India were reporting a delayed response from AIG due to the different time zones involved in the incident.

"The event that is currently underway illustrates the real challenge of managing a cyber event," Meyron said. "The rate of spread is so fast. We know today that ransomware attacks can encrypt thousands of workstations in just a few hours and that does not even include the threat of disseminating the information itself, other misuse and other business, financial and legal damages yet to come."

The attack comes after a series of cyberattacks on Israeli businesses and institutions, including Israel Aerospace Industries, the Shirbit insurance company, Ben-Gurion University and the Amital software company.

The National Cyber Directorate reported that it handled more than 11,000 inquiries on its 119 hotline in 2020, some 30% more than it handled in 2019. The directorate made about 5,000 requests to entities to handle vulnerabilities exposing them to attacks and was in contact with about 1,400 entities concerning attempted or successful attacks.