Canadian voice over IP hardware and software maker Sangoma Technologies Corp. has been struck by a ransomware attack.

The company, which offers products such as FreePBX and Switchbox and is also the owner of Asterix provider Digium Inc., disclosed the attack in a statement on Dec. 24. It said the ransomware targeted one of the company’s servers. The company added that private and confidential data stolen during the attack had been posted online, but it has no initial indication that customer accounts were compromised.

Sangoma said that it has launched a comprehensive investigation to fully ascertain the extent of the data breach and it’s working closely with outside cybersecurity experts. Customers are being advised to change their Sangoma passwords as a precaution.

Bleeping Computer reported that the attack involved Conti ransomware, the same used in an attack targeting industrial computer manufacturer Advantech Co. Ltd. in November. The Conti ransomware gang has published more than 26 gigabytes of data alleged to have been stolen from Sangoma on its data leak site. The data collection includes the company’s accounting, financials, acquisitions, employee benefits and salary, and legal documents.

Conti ransomware, which shares code with the better known Ryuk ransomware, runs through a typical list of behaviors. After gaining access to a network, it steals files before encrypting them, demanding a ransom payment in return for both a decryption key and a promise not to publish the stolen data.

Sangoma hasn’t disclosed exactly when the ransomware attack took place, but given that the data was published the day before the company said it had been targeted, it’s likely that the attack took place earlier in December with no ransom being paid, hence the publication of the stolen data.

Conti is known to be distributed by the Trickbot botnet. It dates back to 2016 and is believed to exist on a network of more than 1 million machines. TrickBot was incorrectly claimed by the media Oct. 12 to have been taken down by Microsoft Corp., but as noted at the time, Microsoft only said it had disrupted the bot. The fact that more companies are being affected is proof that TrickBot is back.

Conti ransomware, along with Ryuk, were named in an advisory from various U.S. government agencies Oct. 29 as being used to target hospitals and healthcare providers.

Photo: Raysonho/Wikimedia Commons