Advantech, the chip manufacturer, has confirmed that it received a ransom note from a Conti ransomware operation on Nov. 26 demanding 750 Bitcoin, which translates into about $14 million, to decrypt compromised files and delete the data they stole.
Just to let Advantech know they weren’t bluffing, the scammers published a list of files from a stolen .zip archive on their leak site. The ransom note claimed that the 3.03GB of data posted on the leak site accounted for about 2 percent of the total amount of data lifted ripped off from Advantech.
Advantech specializes in internet-of-things (IoT) intelligent systems, Industry 4.0, machine automation, embedded computing, embedded systems, transportation and more.
A statement provided to Bleeping Computer on behalf of Advantech acknowledged the attack and said “the stolen data was confidential but only contained low-value documents.” The statement added that the company is recovering and “functioning normally,” and will not be commenting on whether the ransom was paid.
The first line of defense is a regular, smart backup strategy, according to Shawn Smith, DevOps engineer at nVisium.
Besides regular data backups, basics like security awareness training, patching and antivirus protection are all key, according to Daniel Norman, senior solutions analyst at the Information Security Forum. He also recommended that organizations train for ransomware response.
“Organizations should have an incident-response or crisis-management plan for ransomware events, knowing who to contact and what to do,” Norman advised. “This should be regularly rehearsed so that if ransomware hits, the organization can recover swiftly.”
And while those preparations seem wise, what about companies stuck without either a backup or a strategy? Then it comes down to which costs more, recovery or the ransom?
“Payment of a ransom is also a contentious discussion – in many cases the ransom may be cheaper than replacing a suite of locked devices,” Norman said. “Therefore, it becomes a cost-decision. However, you can never trust that the attacker will unlock the devices, so it remains a grey area.”