Skip to main content

Taiwanese IIoT chip giant Advantech hit by Conti ransomware attack

Advantech, a global leader of industrial automation solutions and embedded modules & systems manufacturing, suffered a Conti ransomware attack this month with hackers demanding 750 BTC (£10,959,463) to decrypt files stolen from the tech manufacturing giant.

The Taiwanese manufacturer of Industrial IoT (IIoT) processors and IoT hardware and software solutions recently admitted to suffering a malicious cyber attack, stating that hackers targeted an Onboard Administrator (OA) server that resulted in the loss of confidential data.

The company’s response arrived after Bleeping Computer accessed a chat log, dated 21st November, in which hackers behind the Conti ransomware attack demanded 750 Bitcoins (nearly £11 million) from Advantech in exchange for not publishing stolen data on the Internet and to delete files they stole from the company.

The hackers have offered to decrypt two files “free of charge” to prove that the ransomware decrypter works and have threatened to publish stolen Advantech data on their website if the company fails to contact them. According to Bleeping Computer, the hackers published 3GB of stolen data on 26th November, five days after they made the first contact after carrying out the ransomware attack.

According to CloudSEK, the Conti ransomware is considered a replacement for Ryuk crypto-malware and is known for fielding advanced capabilities such as fast encryption, anti-analysis, and direct execution.

“Conti has multithreading capabilities – 32 concurrent CPU threads for encryption – which makes it faster. This ransomware abuses Windows Restart Manager functionality by closing applications that lock certain files. Conti then disables Windows services responsible for security, backup, database, email solutions, which allows it to encrypt these files. Conti also allows executing command line arguments to directly encrypt local hard drives, data and network shares, and even specific IP addresses of the threat actors’ choice.

“Once the ransomware takes over, it deletes Windows Shadow Volume copies to prevent recovery of the files on the local system. Conti appends ‘.CONTI’ extension to the encrypted files and leaves a ransom note in each folder. To encrypt the data, the ransomware uses AES-256 encryption key for each file, which is again encrypted with a bundled RSA-4096 public encryption key that is unique for each victim,” the firm said.

Responding to reports about the ransomware attack, an Advantech spokesperson told Bleeping Computer that the company “has implemented countermeasures against the recent malicious cyberattacks” after hackers stole some data after breaching a small number of Advantech servers. Below is the company’s statement:

• “Some data may have been stolen by hackers due to a small number of Advantech servers which were attacked. According to our internal risk evaluation, the stolen data was confidential but only contained low-value documents.
• The attacked OA server has gradually recovered and the important operating systems are all functioning normally.
• At the same time, Advantech has also carried out data preservation and system upgrades related to customer information security and operating systems.
• Some media reported that Advantech was blackmailed, which is in line with the purpose of most general cyberattacks. Advantech will not be commenting on this.

While resolving this incident, Advantech has introduced new detection, protection, and response actions into our cyber security strategies to mitigate risks of future attacks. We hope that our global colleagues, partners, and customers remain patient throughout the recovery period as we overcome this major cyberattack setback.”

ALSO READ: Telecom Argentina suffers ransomware attack; told to pay £5.8m to recover files


All rights reserved Teiss Recruitment Ltd.