There is no evidence that ransomware is behind the recent cyberattack

Payments platform MoneyGram says there is no evidence that ransomware was behind a recent cyberattack that led to a five-day outage in September.

MoneyGram is an American payments and money transfer platform that allows people to send and receive money through an extensive network of 350,000 physical locations in 200 countries or through its mobile app and website.

MoneyGram confirmed there had been a cyberattack on Sept. 20 and took systems offline to contain the breach, three days after customers began reporting problems.

The disruption to IT systems prevented customers from accessing and transferring their money and carrying out other online activities.

While many suspected it was a ransomware attack, MoneyGram did not share further details and no ransomware gangs claimed responsibility.

In an email with updated information about the cyberattack sent to those involved on September 25 and viewed by BleepingComputer, MoneyGram said that customers will finally be able to transfer money again.

MoneyGram confirmed that company systems were breached, but after investigating the attack with CrowdStrike, law enforcement and other cybersecurity experts said there was no evidence that ransomware was behind the attack.

“After working with leading third-party cybersecurity experts, including CrowdStrike, and coordinating with U.S. law enforcement, most of our systems are now operational and we have resumed money transfer services,” said an email obtained by BleepingComputer.

“We recognize the importance of system security as we take these measures. We only restored our systems after taking extensive precautionary measures. At this time, we have no evidence that this issue is ransomware, nor do we have any reason to believe that this has impacted our agents' systems.

A source familiar with the attack shared further information with BleepingComputer that MoneyGram was originally hacked through a social engineering attack on the company's internal help desk.

This attack allowed the threat actors to access MoneyGram's network using an employee's credentials and attack employee information in the company's Windows Active Directory services. However, they were discovered and blocked before any more damage could be done.

BleepingComputer reached out to MoneyGram with questions about the breach but received no response.

If you have information about this incident or other undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or at [email protected].

Although MoneyGram has not publicly attributed the attack to a specific threat actor, the strategies are reminiscent of attacks previously carried out by a loose hacker collective called the Scattered Spider (also known as UNC3944, the Com and 0ktapus).

In September 2023, Scattered Spider was behind a cyberattack on MGM Resorts, which the company breached by impersonating MGM employees while simultaneously calling the IT help desk to reset the password.

After gaining access to the network, the threat actors used BlackCat ransomware to encrypt hundreds of VMware ESXi servers.

Due to the sophistication of their social engineering attacks, Microsoft, the FBI/CISA, and Mandiant released advisories on their tactics and how to mitigate these attacks.