Suspected ransomware: "Cyber attack" on the Madsack publishing group
Suspected ransomware: "Cyber attack" on the Madsack publishing group
According to its own statements, the Madsack publishing group is fighting the consequences of a "cyber attack". A report suggests an infection with the ransomware Nefilim.
The Madsack Group publishes, among other things, the two Hanover daily newspapers "HAZ" and "Neue Presse". (Image: Madsack)
UPDATE
04/23/2021 6:51 pm
Of
Axel Kannenberg
display
The Madsack publishing group has apparently been attacked by ransomware. According to a media report, an internal mail from the publisher indicates an infection with the blackmail Trojan Nefilim. A spokesman for Madsack only explained to heise online on request that there had been "a cyber attack on the computer systems of the Madsack media group" on Friday.
The publisher has taken countermeasures, but newspaper production for Saturday could be impaired, the spokesman said. Information on the background to the attack is not yet available; all online portals of the publishing group are available as usual.
According to the T-Online report , an internal email from the Gutenberg data center, of which the Madsack Group is a partner, speaks of a "major disruption" that has affected "all locations" and the "entire group of the Madsack media group". This disturbance manifests itself, for example, in such a way that "Endpoint Protection detects files that have the extension .NEFILIM. These files are infected and encrypted."
"It's a difficult day"
According to the mail, Madsack employees should forego direct connections to the publisher's network via LAN or VPN. "If necessary, pull the network plug and work via WLAN", is the recommendation to employees in publishing offices. Presumably, separate guest WLANs are meant. One should also refrain from exchanging data via Outlook. Computers should be scanned with virus protection programs, the Trojans would be detected and eliminated.
Another internal mail that heise online is available only spoke of "massive network problems" and announced impairments in the delivery of finished pages for newspaper production. It is "a difficult day". A second internal mail, which heise online is now available, becomes clearer: Employees are informed of a Trojan attack that affects all of the publishing group's locations. One should pay attention to files with .NEFILIM ending and notify the publishing IT department if they occur.
Extortion with company secrets
According to an analysis by Trend Micro, the Nefilim Trojan was first noticed in March 2020. The code base of the malware is therefore similar to a version of the Nemty Trojan and, like this, is often used by criminals who not only want to blackmail important data with encryption, but also want to extract data from the infected computer. They are then searched for company secrets and compromising content, which could open up further potential for blackmail with the threat of publication .
According to Trendmicro, the gateway for Nefilim is often the inadequately secured use of the RDP remote access protocol. As Bleeping Computer writes , the Trojan encrypts with AES-128 and attaches the extension .NEFILIM to all encrypted files.
Trojans at Funke Group in December
The Madsack media group, headquartered in Hanover, includes daily newspapers in several federal states: "Hannoversche Allgemeine Zeitung", "Neue Presse" in Hanover, "Ostsee-Zeitung", "Lübecker Nachrichten", "Aller-Zeitung", "Schaumburger Nachrichten", "Wolfsburger Allgemeine Zeitung "," Peiner Allgemeine Zeitung "," Göttinger Tageblatt "," Eichsfelder Tageblatt "," Gelnhauser Neue Zeitung "," Märkische Allgemeine "," Leipziger Volkszeitung "," Dresden Latest News "and" Naumburger Tageblatt ".
It was only in December that the Funke media group, headquartered in Essen, which also has numerous regional newspapers in its portfolio, fell victim to a severe Trojan horse attack . As a result, newspapers could only appear in emergency editions at times. The company had felt the consequences of the attack in the house for weeks.
According to its own statements, the Madsack publishing group is fighting the consequences of a "cyber attack". A report suggests an infection with the ransomware Nefilim.
The Madsack Group publishes, among other things, the two Hanover daily newspapers "HAZ" and "Neue Presse". (Image: Madsack)
UPDATE
04/23/2021 6:51 pm
Of
Axel Kannenberg
display
The Madsack publishing group has apparently been attacked by ransomware. According to a media report, an internal mail from the publisher indicates an infection with the blackmail Trojan Nefilim. A spokesman for Madsack only explained to heise online on request that there had been "a cyber attack on the computer systems of the Madsack media group" on Friday.
The publisher has taken countermeasures, but newspaper production for Saturday could be impaired, the spokesman said. Information on the background to the attack is not yet available; all online portals of the publishing group are available as usual.
According to the T-Online report , an internal email from the Gutenberg data center, of which the Madsack Group is a partner, speaks of a "major disruption" that has affected "all locations" and the "entire group of the Madsack media group". This disturbance manifests itself, for example, in such a way that "Endpoint Protection detects files that have the extension .NEFILIM. These files are infected and encrypted."
"It's a difficult day"
According to the mail, Madsack employees should forego direct connections to the publisher's network via LAN or VPN. "If necessary, pull the network plug and work via WLAN", is the recommendation to employees in publishing offices. Presumably, separate guest WLANs are meant. One should also refrain from exchanging data via Outlook. Computers should be scanned with virus protection programs, the Trojans would be detected and eliminated.
Another internal mail that heise online is available only spoke of "massive network problems" and announced impairments in the delivery of finished pages for newspaper production. It is "a difficult day". A second internal mail, which heise online is now available, becomes clearer: Employees are informed of a Trojan attack that affects all of the publishing group's locations. One should pay attention to files with .NEFILIM ending and notify the publishing IT department if they occur.
Extortion with company secrets
According to an analysis by Trend Micro, the Nefilim Trojan was first noticed in March 2020. The code base of the malware is therefore similar to a version of the Nemty Trojan and, like this, is often used by criminals who not only want to blackmail important data with encryption, but also want to extract data from the infected computer. They are then searched for company secrets and compromising content, which could open up further potential for blackmail with the threat of publication .
According to Trendmicro, the gateway for Nefilim is often the inadequately secured use of the RDP remote access protocol. As Bleeping Computer writes , the Trojan encrypts with AES-128 and attaches the extension .NEFILIM to all encrypted files.
Trojans at Funke Group in December
The Madsack media group, headquartered in Hanover, includes daily newspapers in several federal states: "Hannoversche Allgemeine Zeitung", "Neue Presse" in Hanover, "Ostsee-Zeitung", "Lübecker Nachrichten", "Aller-Zeitung", "Schaumburger Nachrichten", "Wolfsburger Allgemeine Zeitung "," Peiner Allgemeine Zeitung "," Göttinger Tageblatt "," Eichsfelder Tageblatt "," Gelnhauser Neue Zeitung "," Märkische Allgemeine "," Leipziger Volkszeitung "," Dresden Latest News "and" Naumburger Tageblatt ".
It was only in December that the Funke media group, headquartered in Essen, which also has numerous regional newspapers in its portfolio, fell victim to a severe Trojan horse attack . As a result, newspapers could only appear in emergency editions at times. The company had felt the consequences of the attack in the house for weeks.
