Sangoma Hack / Ransomware

(Tom Ray) #60

And here we go. Yes, we are well aware of how ransomware works but flat out saying they ignored it like it would just go away is just pure speculation spew (again). Many companies do not pay the ransomware while other do pay it. Those companies have their reasons for doing either of those. In cases like Sangoma, a large corp, there could be a legal team saying “Don’t pay”.

Ya sure about that? Because spending 15 minutes reviewing that law show this:

An entity must take all reasonable steps to complete the assessment within 30 calendar days after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach (s 26WH(2)).

Timing of notification

Entities must notify individuals as soon as practicable after completing the statement prepared for notifying the Commissioner (s 26WL(3)).

Oh and apparently there are three ways to do notifications.

  1. All Users - Blanket statement.
  2. Impacted Users - If you know exactly who was impacted, just notify them not all users.
  3. Don’t have current contact information? You just need to public post on your website the details of the breach.

So yeah, in Australia they would have 30 days to put the report together for the regulators after they found the breach. THEN they would do notifications.

(TheJames) #61

Alabama and California where they have offices both do too. ¯_(ツ)_/¯ I’m sure the lawyers told them it’s cool.

(Tom Ray) #62

Yeah, that is a good point. All 50 states have their own laws about how to handle, report and do notifications of data breaches. Wonder what other impact there is since there are also offices in Canada and the UK.

(Rob Thomas) #63

It looks like someone who’s claiming to be the attacker has posted on reddit with more information (which I have removed) @lgaetz who’s looking after this internally? The information contained in the message doesn’t need to be public but if anyone inside Sangomium wants to reach out to me, now would be a good time (email would be best) as this is time critical information.

(Edit: Contact achieved!)

(xp) #64

We need to do module updates on many v15 PBXes. Was planning to do so over Christmas or New Year weekend. The hack stopped me from doing this over Christmas weekend. Do we believe the tech side is in the clear enough to apply module updates? I would image that @xrobau and @lgaetz probably have some good input here too.

(TheJames) #65

(Nobby6) #66

Thats the approach for general breaches, there are many other requirements in law, in particular this diddy that relates to “serious harm” and that section encompasses for breaches that are known to have taken login creds and financial information

“entities to expeditiously notify individuals at risk of serious harm about an eligible data breach unless cost, time, and effort are excessively prohibitive in all the circumstances.”

the key work here is expidtitously , which is not 28 days, unless your a sangoma fanboi that is

(Jonathan P) #67

Any updates?


(Preston McNair, ClearlyIP CRO) #69

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)


People online stating to be part of the group that hacked Sangoma stated that they have been in contact with Sangoma since October 12th.

This could use a little more citation.

(Reinhard Stindl) #71

You are offering a “solution”, which includes switching to YOUR mirror servers. Are you serious??? Someone can get the impression that the hack is in your interest…

(Itzik) #72

Please prep a fire extinguisher before this thread is fully engulfed in flames.

(Richard Smith) #73

How is offering a free service in their interest?


It was entirely predictable innuendo… the only thing surprising to me is that it took nearly a week for someone to say it. Of course it’s nothing more than bad-faith nonsense and trolling and should be ignored.

(Preston McNair, ClearlyIP CRO) #75

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

(Luke C) #76

Curios why October 13th was selected? The gang says they have been in contact since October 12th, any attacker worth their own salt, would have planted their seeds much sooner.

(Preston McNair, ClearlyIP CRO) #77

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

(Preston McNair, ClearlyIP CRO) #78

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

(Reinhard Stindl) #79

Just curious…has this ever happened…that the update servers of an open-source project have been infected and all “customer” systems (and networks) have been encrypted and locked? If somebody wants to steal money, would he choose end users of a free phone system? I have the impression that 95% of freePBX users dont want to spend money and/or have (lots of) money! Aren’t they the wrong target?