Cyber Security

HomeTeamNS hit by ransomware attack

And why it has engaged external cybersecurity experts to investigate.

Paul Mah

Paul Mah

β€” 2 min read
HomeTeamNS hit by ransomware attack
Photo Credit: HomeTeamNS

HomeTeamNS was hit by a ransomware attack. What does it mean, and why has it engaged external cybersecurity experts to investigate?

Some servers belonging to HomeTeamNS were affected by a ransomware attack on 25 Feb, which is currently investigated by third-party cybersecurity experts.

Ransom-what?

Ransomware is computer malware that surreptitiously encrypts files on an infected server. It then demands a ransom in exchange for unlocking the data.

Ransomware isn't new. But it has proved to be a challenging scourge to eradicate. And with growing digitalisation, its impact keeps growing.

Last year, Indonesia's Temporary National Data Centre (PDN) was compromised by a hacking group which infected it with ransomware, paralysing multiple agencies.

Read "The improbable tale of how Indonesia got its data back" here.

Ransomware evolution

Some might argue that with adequate backups, ransomware would not be a problem. But it isn't that simple.

As I wrote last year, cybercriminals can extort a stolen set of data up to 𝟯 π˜π—Άπ—Ίπ—²π˜€:

  1. Original extortion. Pay or your data is toast.
  2. Double extortion. Pay or we'll publish it online.
  3. Ransomware 3.0. Go after individual victims to threaten the privacy of their data.
Read "Singapore businesses paying off ransomware demands" here.

In this case, the servers are understood to contain data of employees and ex-employees, as well as vehicle details of some members, affiliate members.

So, not too bad.

A thorough investigation

Of course, it doesn't answer the question about how the ransomware got in.

That's what the external cybersecurity experts are there for. To determine how the hackers snuck in, close those holes, and fix all the systems they compromised ("remediation").

Moreover, some hackers are known to plant backdoors or additional malware on compromised servers that can be activated months or years later.

What the external investigators can do will depend heavily on the cybersecurity solutions and log files in place - as well as the skill of the hackers in hiding their tracks.

A forensic reconstruction will determine:

  • Entry point.
  • Attack timeline.
  • Lateral movement.
  • Persistence mechanism.
  • Evidence of data exfiltration.

However, all these will take time.

While it might be better to keep quiet until investigations are concluded, this must be balanced against notifying potential victims whose data might be exposed.

Hence the disclosure today.