After suffering a ransomware attack by the Hive operation, the Bank of Zambia made it clear that they were not going to pay by posting a picture of male genitalia and telling the hackers to s… (well, you can use your imagination).
Last week, the Bank of Zambia, the country's central bank, disclosed that recent technical outages resulted from a cyberattack.
"The Bank of Zambia wishes to inform members of the public that it experienced a partial disruption to some of its Information Technology (IT) applications on Monday 9th May 2022," disclosed the bank in a press release.
"The disruption, which affected some systems at the Bank such as the Bureau De Change Monitoring System and the Website, emanated from a suspected cybersecurity incident. We wish to advise that these systems have since been fully restored."
A texticular response
While the Bank of Zambia did not disclose the details of the cyberattack, BleepingComputer learned that the attack was conducted by the Hive ransomware operation, which claimed to have encrypted the bank's Network Attached Storage (NAS) device.
However, instead of paying the ransom, the bank representatives responded to the ransom negotiation by making fun of the hacker's '14m3-sk1llz.'
They then proceeded to post a link to a dick pic while stating, "suck this dick and stop locking bank networks thinking that you will monetize something, learn to monetize."
When BleepingComputer saw this chat on Monday, it was assumed that unrelated individuals hijacked the negotiation chat, which we have seen numerous times in the past.
This chat led security researcher MalwareHunterTeam to post a poll asking whether people felt pics like this in a ransom negotiation meant it was hijacked or the message was from the victim.
The poll results were surprising, with the majority of responders saying it was from the victim.
If dick pics appears in a payment site page / chat for a victim of a ransomware gang, it means that:
A: some idiot got access to the chat
B: the victim not plans to pay the ransom and so sending some "kind" message the to actors.
Today, Bloomberg reported that the Bank's Technical Director, Greg Nsofu, said they had protected the bank's core systems, so it was not necessary to engage with the threat actors.
However, Nsofu said, "So we pretty much told them where to get off," confirming that it was someone affiliated with the bank who responded to Hive.
The bank’s response to the threat actors may not be the proper method for all organizations, but they should be lauded for making it clear that they would not give in to the attackers’ demands.
While ransomware remains a massive problem for enterprise and home users alike, the best way to end this scourge is simply not to pay ransoms and recover from backups.
Couple non-payment with increased law enforcement action and government sanctions, we will hopefully see ransomware operations slowly fade away.
BleepingComputer has contacted the Bank of Zambia with further questions about this incident but has not received a response.
The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'
Hive ransomware ports its Linux VMware ESXi encryptor to Rust
Conti ransomware shuts down operation, rebrands into smaller units
Media giant Nikkei’s Asian unit hit by ransomware attack
QNAP alerts NAS customers of new DeadBolt ransomware attacks