Payment Processing Giant TSYS: Ransomware Incident “Immaterial” to Company — Krebs on Security

Payment card processing giant TSYS suffered a ransomware attack earlier this month. Since then reams of data stolen from the company have been posted online, with the attackers promising to publish more in the coming days. But the company says the malware did not jeopardize card data, and that the incident was limited to administrative areas of its business.



Headquartered in Columbus, Ga., Total System Services Inc. (TSYS) is the third-largest third-party payment processor for financial institutions in North America, and a major processor in Europe.

TSYS provides payment processing services, merchant services and other payment solutions, including prepaid debit cards and payroll cards. In 2019, TSYS was acquired by financial services firm Global Payments Inc. [NYSE:GPN].

On December 8, the cybercriminal gang responsible for deploying the Conti ransomware strain (also known as “Ryuk“) published more than 10 gigabytes of data that it claimed to have removed from TSYS’s networks.

Conti is one of several cybercriminal groups that maintains a blog which publishes data stolen from victims in a bid to force the negotiation of ransom payments. The gang claims the data published so far represents just 15 percent of the information it offloaded from TSYS before detonating its ransomware inside the company.

In a written response to requests for comment, TSYS said the attack did not affect systems that handle payment card processing.

“We experienced a ransomware attack involving systems that support certain corporate back office functions of a legacy TSYS merchant business,” TSYS said. “We immediately contained the suspicious activity and the business is operating normally.”

According to Conti, the “legacy” TSYS business unit hit was Cayan, an entity acquired by TSYS in 2018 that enables payments in physical stores and mobile locations, as well as e-commerce.

Conti claims prepaid card data was compromised, but TSYS says this is not the case.

“Transaction processing is conducted on separate systems, has continued without interruption and no card data was impacted,” the statement continued. “We regret any inconvenience this issue may have caused. This matter is immaterial to the company.”

TSYS declined to say whether it paid any ransom. But according to Fabian Wosar, chief technology officer at computer security firm Emsisoft, Conti typically only publishes data from victims that refuse to negotiate a ransom payment.

Some ransomware groups have shifted to demanding two separate ransom payments; one to secure a digital key that unlocks access to servers and computers held hostage by the ransomware, and a second in return for a promise not to publish or sell any stolen data. However, Conti so far has not adopted the latter tactic, Wosar said.

“Conti almost always does steal data, but we haven’t seen them negotiating for leaks and keys separately,” he explained. “For the negotiations we have seen it has always been one price for everything (keys, deletion of data, no leaks etc.).”

According to a report released last month by the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium aimed at fighting cyber threats, the banking industry remains a primary target of ransomware groups. FS-ISAC said at least eight financial institutions were hit with ransomware attacks in the previous four months. The report notes that by a wide margin, Ryuk continues to be the most prolific ransomware threat targeting financial services firms.