TTEC hit with ransomware attack, hampering work for major clients

US customer experience technology giant TTEC has announced a “cybersecurity incident” but confirmed to employees that it was hit with ransomware.

The company, with nearly 61,000 employees and billions in annual revenue, sent a message to employees this week warning them not to click on a link titled “!RA!G!N!A!R!” according to KrebsonSecurity. The message indicates the attack may have been launched by the prolific Ragnar Locker ransomware group or someone trying to impersonate them. 

TTEC told employees that it was having system outages and was working to remove the malicious “!RA!G!N!A!R!” file from its system.

In a statement to ZDNet, TTEC corporate communications vice president Tim Blair would not confirm that it was a ransomware incident but said some of the company’s data was encrypted and “business activities at several facilities have been temporarily disrupted.”

“TTEC immediately activated its information security incident response business continuity protocols, isolated the systems involved, and took other appropriate measures to contain the incident,” Blair said. 

“We are now in the process of  carefully and deliberately restoring the systems that have been involved. We also launched an investigation, typical under the circumstances, to determine the potential impacts. In serving our clients TTEC generally does not maintain our clients’ data, and the investigation to date has not identified compromise to clients’ data. That investigation is on-going and we will take additional action, as appropriate, based on the investigation’s results.”

TTEC works with some of the biggest companies in the world, including Verizon, Best Buy, Dish Network, Bank of America and Kaiser Permanente.

KrebsonSecurity was able to obtain the internal message from a reader, who told the blog that the “widespread” system outage began on Sunday, September 12. The source told KrebsonSecurity that thousands of TTEC employees working on accounts for Verizon, Kaiser Permanente and Bank of America were unable to do any tasks because of the attack while many other customer support teams reported being unable to work. 

Ransomware groups typically target organizations with large customer bases that rely on services or a product, knowing it hinders business and creates a trickle-down impact on all customers, KnowBe4 security advocate James McQuiggan said. 

“Ransomware attacks have been known to hinder the business and steal intellectual property, client information and employee information. The cyber criminals then use this information to extort the employees or customers for additional money or be in fear of their data being released publicly,” McQuiggan said.

The Ragnar Locker ransomware group has been in the news as of late for their comments about victims who contact the police or professional negotiators. 

On their darknet leaksite, the group said it would destroy decryption keys and publish all sensitive data that was stolen if victims dared to contact cybersecurity companies or law enforcement. 

“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised data immediately,” the group said, according to a note seen by BleepingComputer.

The group has previously attacked major companies like Capcom, Campari, energy company EDP, game studio CD Projekt Red and a number of shipping giants in China.