Zaha Hadid network encrypted with ransomware, files leaked

New ransomware gang is threatening to release secret documents of a high-profile architectural company

Zaha Hadid ransomware attackZaha Hadid Architects suffered a cyberattack - files encrypted by ransomware, threaten to be published if no ransom is paid

One of the largest architecture and design companies, Zaha Hadid Architects had suffered a cyberattack last week. According to the latest report from ZDNet,[1] unknown criminal gang going by the name of “Light” has breached the firm's servers, encrypted all files on the network, stole valuable intelligence data and is now threatening to release it publicly unless a ransom is paid. Currently, it is not known which ransomware is responsible, although it is believed that it is a cybercriminal gang's customized crypto-malware.

As claimed by the attackers, the confidential information stolen from Zaha Hadid Architects servers includes financial and project data, client information, email dumps, payroll records, employee details, and more. Threat actors already published a small sample of the stolen information on a specially crafted website, and are threatening to expose more if the demands are not met.

Zaha Hadid Architects is a British company found by Zaha Hadid in 1980 in London and since then became one of the most innovative design and architecture firms in the world. The company designed buildings and its interior all around the world with such notable creations like London Aquatics Centre (London), BMW Central Building (Germany), Napoli Afragola railway station (Italy), Guangzhou Opera House (China), and many more.[2]

Zaha Hadid refused to engage in negotiations with attackers

The attack occurred on April 21, when internal parties noticed their server files encrypted, and a ransom note from the malicious actors was left behind. The company immediately launched the investigation, contacted the police and third-party forensic experts.

Due to the ransomware attack, the staff was temporarily locked out of the systems and were also forced to change their passwords. Nevertheless, the company claims that no major disruptions within the operations were experienced.

Since Zaha Hadid had all the data backed up, its encryption is a non-issue, although potential data breach can lead to devastating consequences. The firm is now working with forensics to investigate the breach and security firms to recover encrypted data from backups

While the attackers released a Tweet with the screenshot of stolen information, it is currently unknown how much data was actually stolen. The architectural firm believes that no project details were interfered with during the attack, despite everything.

According to ZDNet, attackers of Zaha Hadid contacted them directly and provided a link to a website that is to be used to data publication in case the ransom is not paid on time. Threat actors also provided proof that they do possess ZHA files that hold all the relevant information.

The company advises architectural firms to be cautious

Amid COVID-19 crisis, many companies' staff was forced to work from home, and Zaha Hadid is no exception. Architects' Journal contacted the company representatives about the attack, who warned the community to be aware of underlying dangers regarding the current situation :[3]

With all our 348 London-based staff working from home during this pandemic and cyber criminals poised to exploit the situation, we strongly advise the architectural community to be extremely cautious.

With ransomware attacks growing rampant and many firms facing challenges due to the pandemic,[4] it is important to ensure that all networks are adequately protected and staff aware of potential dangers when dealing with suspicious emails, like spear-phishing one of the most common attack vectors of malware, such as ransomware.

This new “Light ransomware” strain that hit Zaha Hadid Architects has not yet been investigated, so it unknown whether the attackers are a new criminal group or somebody with roots in already established illegal business players. Data leakage is now a common practice that has been prevalent among strains like Maze,[5] DoppelPaymer, Sodinokibi, Clop, and many others,[6] so there is no surprise that new gangs are willing to abuse the new tactic for illegal financial gain.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions