Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
A new extortion scam is aimed at website owners and admins all over the world. The scam claims that the victim’s server has been hacked and demands a $2,500 ransom so the data won’t be leaked.
The emails seem to be untargeted, reaching a wide range of targets, from bloggers to government agencies or big corporations.
Details About the Scam
The threat actors behind this scam go by the name Team Montesano and the subject of their emails reads: “Your website, databases and emails has been hacked”.
Then the message gives a warning that if the victim will not pay the ransom a series of actions will take place. The hackers threaten they will leak sensitive information, damage the recipient’s reputation and get the breached site blacklisted for spam.
The complete extortion message is as follows, via BleepingComputer:
FORWARD THIS EMAIL TO THE PERSON WITHIN YOUR COMPANY WHO MAKES THE IMPORTANT DECISIONS
You may have noticed that we are using your company’s server to send this message, we have hacked into your https://www.***.gov site and extracted all of your databases and backed up all of your mailboxes.
How did this happen?
Our team found several vulnerabilities within your website and company computers that we were able to exploit. After finding them, we were able to obtain their database credentials and extract their complete data from their computers, from their site and copies of all emails in all their mailboxes with ***.gov domain and finally we moved the information to a foreign server.
What does this mean?
We will systematically go through a series of steps to totally damage your reputation. First, your database will be leaked or sold to the highest bidder to be used for any purpose. Next, emails will be sent to all your customers, suppliers and business partners, stating that all of their information has been sold or leaked and your https://***.gov site was at fault for leaking the information and damaging the reputation of all your customers and providers. Lastly, any links you have indexed in search engines will be de-indexed based on the blackhat techniques we used in the past to de-index our targets, not to mention getting your business on every blacklist in the country.
How do I stop this?
We are willing to forget about destroying the reputation of your site and company for a small fee. The current fee is $2,500 USD in Bitcoins.
Send the amount in Bitcoin to the following address:
3Fyjqj5WutzSVJ8DnKrLgZFEAxVz6Pddn7
Once you have made your payment, we will automatically be informed of it. At the precise moment that you have read this message, you have a period of 72 hours to make the payment, or I guarantee that the reputation of your company will be completely destroyed. The proof that we have access and all your data is that this message has been sent using your company’s servers.
How do I get Bitcoins?
You can easily buy bitcoins through various websites.
What happens if I don’t pay?
If you decide not to pay, we will launch the attack after 72 hours and keep it until you do, there is no countermeasure to this, you will just end up wasting more money trying to find a solution. We will completely destroy your reputation with your customers, your suppliers, your partners, on google and the entire country.
This is not a hoax, do not try to reason or negotiate, we will not read any answers. Once you’ve paid, we’ll stop what we were doing, we’ll destroy all data taken from your site, your databases, your mailboxes, and you’ll never hear from us again.
Keep in mind that the payment with Bitcoin is anonymous and no one will know that you have complied. The time is running.
The two bitcoin addresses used by the cybercriminals are 3Fyjqj5WutzSVJ8DnKrLgZFEAxVz6Pddn7 and 3PmYSqtG5x5bGNrsYUy5DGtu93qNtsaPRH. At this moment the transactions to the first wallet indicate that some victims may have paid the demanded ransom.
What to Do If This Scam Reaches You
As scary as they seem, these emails by themselves are harmless and should be seen as what they are: simple scams. The threat actors are mas-emailing them hoping that some victims will give in and pay the money.
If such an email reaches you, you should simply mark it as spam and delete it. When a bitcoin address is included in the message, always search for it in the Bitcoin Abuse Database. This way, you will discover if that address is involved in any suspicious activity.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.
