Home Source code PrimeXM explains how it dealt with ransomware attacks

PrimeXM explains how it dealt with ransomware attacks


Technology provider FX shared the sequence of events regarding the attack on parts of its hosting infrastructure.

PrimeXM has confirmed that parts of its hosting infrastructure were attacked on Thursday, December 9, and less than 3% of hosted customers were impacted on their trading operations.

Technology provider FX refused to negotiate with the attackers and did not respond to any of their requests, the company said in an official statement.

The provider of currency aggregation software, ultra-low latency connectivity, institutional grade hosting solutions, MT4 / MT5 bridging and white label solutions has experienced its most vulnerable moment yet.

The company claims to have been able to manage the threat and promises to continue providing updates as soon as possible and to always remain transparent about it.

According to PrimeXM, the security of its internal systems, including the XCore trading infrastructure, was not compromised or interrupted at any time.

“Finally, we sincerely apologize for any inconvenience this event may have caused our customers. We will continue to increase our internal expertise and work closely with our cybersecurity partners to improve the security of our hosted systems. “

Below is the sequence of events regarding the recent attack:

Thursday 6:50 p.m.: A customer reports the inability to restart their MT5 History Server.

Thursday 8:40 p.m.: A customer reports that a ransomware attack on their server has been blocked by their antivirus.

Thursday 22:10: Several customers report switching to their failovers after experiencing issues with their primary MT4 / 5 servers after restarting EOD.

Thursday 22:40: PrimeXM support is passed to PrimeXM networks for further investigation.

Thursday 10:50 p.m.: PrimeXM Network escalating to PrimeXM Systems for further investigation.

Thursday 11:00 p.m.: PrimeXM Systems Investigates and Identifies a Ransomware Attack by Atom Silo.

Thursday 11:15 p.m.: PrimeXM Systems is deploying an AVAST decryption tool to affected customers with decryption success rates between 5-20%.

Friday 00:15: PrimeXM Systems identifies that the attack has spread to larger parts of the PrimeXM hosting infrastructure and is spreading to management.

Friday 01:30: PrimeXM identifies that the attack can disrupt the client’s live trading by encrypting essential files only if the MT4 / 5 servers are down or during restart.

Friday 02:30: PrimeXM issues a statement to all clients informing them of the ongoing attack. PrimeXM advises customers not to restart their MT4 / 5 servers and to verify that their failover infrastructure is operational.

Friday 02:40: PrimeXM is trying to engage with various third party cybersecurity companies.

Friday 05:45: PrimeXM establishes a channel of communication with a forensic and malicious analyst who developed the core algorithm of the AVAST decryption tool.

Friday 06:10: PrimeXM establishes a communication channel with cybersecurity company QSecure.

Friday 06:40: QSecure hires Deloitte Cyber ​​Forensics.

Friday 08:00: PrimeXM calls customers and continues to do so throughout the day to make sure they are aware of the statement sent earlier around 2:30 am.

Friday 08:00: PrimeXM identifies and disables attacker’s entry point. The entry point was a compromised web interface of the ZABBIX surveillance system.

Friday 10:30 am: QSecure, in collaboration with Deloitte Cyber ​​Forensics, joins PrimeXM engineers on site and begins to analyze the ransomware itself as well as the attack.

Friday 2:30 p.m.: Preliminary evidence gathered by forensic teams by analyzing the ransomware as well as network activity does not suggest that there was a data breach or a backdoor.

Friday 6:20 p.m.: PrimeXM and QSecure start to collaborate with forensic and malicious analyst and provide data to improve decryption algorithm success rate.

Saturday 12:30 am: PrimeXM advises customers to move to their MT4 / 5 failover infrastructure. For customers hosting their failover with PrimeXM, PrimeXM provides support and new servers to migrate to.

Saturday 06:00: PrimeXM contacts customers to begin MT4 / 5 switchover migration. The failover migration continues through Saturday and Sunday.

Saturday 07:30: PrimeXM receives an updated version of the decryption algorithm.

Saturday 08h00: PrimeXM receives the source code for the decryption algorithm.

Sunday 5:00 p.m.: QSecure and Deloitte Cyber ​​Forensics confirm that based on their evidence, there was no data breach or backdoor present in the malware.

Sunday 6:00 p.m.: PrimeXM has improved the decryption algorithm and added brute force capabilities now reaching decryption rates close to 100%. PrimeXM helps clients decrypt files.

Source link