Over 10,000 employees affected by ransomware; all servers were encrypted due to Citrix vulnerability

Ransomware incidents keep affecting companies across any kind of industry. The most recent victim is Finastra, a major British finance technology firm with more than 10,000 employees and providing software and other services to more than 9,000 companies in 130 countries around the world. According to malware reverse engineering specialists, the company had to put offline multiple servers after detecting a severe encryption malware infection.

The infection was discovered this weekend, while the IT security team performed routine monitoring on the company’s servers. Although at the beginning they opted to disconnect only the compromised server, Finastra staff took additional steps to prevent the spread of malware and carry out an investigation in collaboration with a malware reverse engineering firm.

A statement signed by Tom Kilroy, the company’s chief operating officer, recognized the nature of the incident: “It is at this point that we can confirm that the incident is the result of a ransomware attack; there is no evidence to suggest that the information of our customers or employees has been compromised.”  

Although it has been just under a full day since the incident was detected, the firm ensures that its systems will be completely restored as soon as possible, although the situation will not cease to be monitored: “We have a sophisticated security program, we will continue to rigorously evaluate our IT systems to ensure the security of confidential information for all of our customers and employees,” Kilroy concluded.

Finastra did not reveal technical details about the attack, although malware reverse engineering experts from Bad Packets claim that threat actors could have exploited a known vulnerability on Citrix servers. Tracked as CVE-2019-11510, this vulnerability would allow an unauthenticated remote hacker to compromise a vulnerable VPN server, access resources, and execute arbitrary code. The cybersecurity firm claims to have notified Finastra, although the financier did not rule on these reports.

The International Institute of Cyber Security (IICS) says ransomware attacks remain one of the most common practices among cybercriminal groups. Victims of these attacks are advised to visit the No More Ransom platform, to check if there is a tool capable of removing encryption from their systems before considering any payments to attackers.