The parent company of The Weather Network says it didn’t give in to the demands of a ransomware gang after the company that provides weather services to Canada and Spain had servers encrypted and data stolen and posted online last month.
“You should know that we did not yield to the ransom demands,” Pelmorex CEO Nana Banerjee said in a statement Tuesday. “Instead we relied on the enterprise and dedication of our people. as well as the understanding, patience and encouragement of our users and audiences to overcome the situation.”
“Our team of engineers are hard at work fixing some small remaining glitches and introducing exciting new features, which are to unfold over the next couple of weeks.”
Pelmorex runs the English-language The Weather Network, the French language MétéoMédia and ElTiempo.es platforms.
On September 11, the company was “impacted by a cybersecurity incident connected to a third-party software provider,” it said in a statement at the time. Later it acknowledged this was a ransomware attack. On September 22, the LockBit ransomware gang listed Pelmorex as one of its victims, claiming it had downloaded “a lot of databases.” It gave the company until September 24 to pay a ransom, or the stolen data would be released.
Karen Kheder, Pelmorex’s director of communications and administration, told The Globe and Mail that the only stolen data posted by the gang was publicly available information such as weather alerts and archived forecasts.
Organizations around the world are being hit by ransomware at a record rate this year, and often pay up because they are unprepared. According to a just-released survey of 500 Canadian managers responsible for IT security, 70 per cent of respondents whose firms were hit by ransomware in the past 12 months paid to get access back to their data.
Among the recent victims
— the Philippine Health Insurance Corporation (PhilHealth), hit on September 22. On Tuesday, a government official said the attackers have begun exposing data — including details on employees — after failing to get ransom money from the government;
— Motel One, one of Europe’s largest hotel chains.
Meanwhile, Swiss cybersecurity company Prodaft warned that ransomware groups are starting to exploit a newly-discovered vulnerability in servers running JetBrains’ TeamCity, a continuous integration and deployment tool used by developers. The vulnerability, CVE-2023-42793, allows unauthenticated attackers to execute arbitrary code on the TeamCity server according to researchers at SonarSource.
The number of successful attacks in the U.S. is so concerning that last week the FBI released a Private Industry Notification urging organizations to tighten their IT security controls.
Among the new trends spotted by the agency: Multiple ransomware attacks on the same victim close to each other. During these attacks, two different ransomware variants are deployed. “This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments,” the FBI notice said. “Second ransomware attacks against an already compromised system could significantly harm victim entities.”
In the past 18 months, multiple ransomware groups have increased the use of custom data theft, wiper tools, and malware to pressure victims to negotiate, the notice adds. In some cases, new code was added to known data theft tools to prevent detection. In other cases, malware containing data wipers remained dormant in an IT system until a set time, then executed to corrupt data in alternating intervals.
The FBI urges IT teams to:
— make sure data backups are encrypted and can’t be tampered with as protection against theft;
— review the security posture of third-party suppliers;
— limit data access to only those employees who need it;
— require all accounts with password logins to have phishing-resistant multifactor authentication;
— segment networks to prevent the spread of ransomware;
— and patch applications as soon as security updates are released.