Ransomware gang Maze reportedly stole sensitive data from the US branch of an integrated engineering group that works with various governments.
ST Engineering Aerospace’s US subsidiary suffered a ransomware attack that managed to extract about 1.5TB of sensitive data from the firm and its partners.
According to an article published by The Straits Times on June 6, the Singapore-based company was allegedly attacked by the well-known ransomware gang Maze in March, citing an analysis by cybersecurity firm, Cyfirma.
The report details that the data stolen by the criminals is related to contract details with various government, organizations, and airlines across the globe. No additional details were provided on its content.
Undetectable for common antiviruses software
Cointelegraph had access to an internal memo issued on March 3 by ST Engineering Aerospace, detailing the VT San Antonio Aerospace as the site of a “ransomware infection.”
The memo detailed that McAfee and Windows Defender did not initially identify the ransomware attack. They managed to detect the problem by reading the renamed files and associated “DECRYPT-FILES.txt” located in the same folder as encrypted files.
Ed Onwe, vice-president and general manager at VT San Antonio Aerospace, said the following to The Straits Times:
“Our ongoing investigation indicates that the threat has been contained, and we believe it to be isolated to a limited number of ST Engineering’s US commercial operations. Currently, our business continues to be operational.”
Cyfirma also assured that some of the data stolen contained information on contracts with the governments of countries like Peru and Argentina, and with agencies such as NASA.
Companies need to rebuild their networks
Speaking with Cointelegraph, Brett Callow, threat analyst at malware lab Emsisoft, commented the following after the attack on the Singapore-based company:
“Ransomware groups often leave backdoors which, if not remediated, can provide continued access to a network and enable a second attack. This one of the reasons we always recommend that companies rebuild their networks after an incident as opposed to simply decrypting their data.”
Cointelegraph reported on June 6 about a ransomware attack called DopplePaymer which managed to breach the network of the Maryland-based Digital Management Inc, or DMI — a company which provides IT and cyber-security services to several Fortune 100 companies and government agencies like NASA.
Another ransomware gang, NetWalker, claimed to have stolen sensitive data, including student names, social security numbers, and financial information from three US universities.