Chilean telecom GTD reports ransomware attack by the Rorschach gang

Chile's telecommunications company, Grupo GTD, has reported that it was a victim to a cyberattack that affected its Infrastructure as a Service (IaaS) platform, causing disruptions to various online services. The company, experienced outages in its data centers, internet access, and Voice-over-IP (VoIP) services following the attack.

Grupo GTD revealed that the adverse effects were confined mainly to their IaaS platform and a few shared services, such as IP telephony, VPNs, and the OTT television system. As a precautionary measure, the company temporarily severed its IaaS platform's internet connection.

Chile’s Computer Security Incident Response Team (CSIRT) later verified that the disruptions at GTD were the result of a ransomware attack. While the CSIRT remained silent on the identity of the cybercriminal group behind the attack, the perpetrators are identified the perpetrators as the Rorschach ransomware gang.

CSIRT shared several Indicators of Compromise (IOCs) associated with the attack, warning of the ransomware hidden in certain DLLs and pointing out legitimate security software executables manipulated during the attack.

CSIRT has shared the following IOCs related to the attack on GTD below, with u.exe and d.exe being legitimate TrendMicro and BitDefender executables used in the attack and the DLLs containing the malware.

To ensure security and thwart potential breaches, Chile’s CSIRT has outlined a series of preventive measures for organizations associated with GTD’s IaaS. These include:

• rigorous antivirus scans,
• close monitoring of software and server accounts,
• hard drive and cpu load and processing trends
• limiting SSH access to servers.
• data leak and unexpected network traffic indicators