Payment platform MoneyGram says there is no evidence that ransomware is behind a recent cyberattack that led to a five-day outage in September.
MoneyGram is an American payment and money transfer platform that allows people to send and receive money through an extensive network of 350,000 physical locations in 200 countries or via its mobile app and website.
MoneyGram confirmed they had suffered a cyberattack and took systems offline to contain the breach on September 20, three days after customers started reporting experiencing issues.
The disruption to IT systems prevented customers from being able to access and transfer their money and perform other online activities.
While many suspected it was a ransomware attack, MoneyGram shared no further details, and no ransomware gangs claimed responsibility.
In an email with updated information about the cyberattack sent to stakeholders on September 25 and seen by BleepingComputer, MoneyGram said that customers are finally able to transfer funds again.
MoneyGram confirmed that corporate systems were breached, but after investigating the attack with CrowdStrike, law enforcement, and other cybersecurity professionals said there was no evidence that ransomware was behind the attack.
“After working with leading external cybersecurity experts, including CrowdStrike, and coordinating with U.S. law enforcement, the majority of our systems are now operational, and we have resumed money transfer services,” says an email obtained by BleepingComputer.
“We recognize the importance of system security as we take these actions. We restored our systems only after taking extensive precautionary measures. At this time, we have no evidence that this issue involves ransomware nor do we have any reason to believe that this has impacted our agents’ systems.”
A source familiar with the attack shared further information, telling BleepingComputer that MoneyGram was initially breached through a social engineering attack on the company’s internal help desk.
This attack allowed the threat actors to access MoneyGram’s network using an employee’s credentials and target employee information in the company’s Windows Active Directory Services. However, they were detected and blocked before more damage could be done.
BleepingComputer contacted MoneyGram with questions about the breach but did not receive a reply back.
If you have any information regarding this incident or any other undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or at [email protected].
While MoneyGram has not publicly attributed the attack to any particular threat actor, the strategies are reminiscent of attacks previously conducted by a loose-knit hacker collective known as Scattered Spider (aka UNC3944, the Com, and 0ktapus).
In September 2023, Scattered Spider was behind a cyberattack on MGM Resorts, which they breached by impersonating an MGM employee while calling the IT help desk to reset the password.
Once they gained access to the network, the threat actors deployed the BlackCat ransomware to encrypt hundreds of VMware ESXi servers.
Due to the sophistication of their social engineering attacks, Microsoft, the FBI/CISA, and Mandiant released advisories on their tactics and how to defend against them.