CTB-Locker: Multilingual Malware Demands Ransom

As we have seen in previously published articles regarding ransomware, such as TorrentLocker targeting UK with Roya Mail phishing and ransomware in a country near you, these threats are appearing more frequently and in different regions.

Starting a few days ago, we began receiving multiple reports of malware-spreading campaigns in various countries mostly in Latin America and Eastern Europe. A fake email purporting to contain a fax is in fact nothing more than a campaign to spread malicious code, of which the ultimate goal is to encrypt their victims’ files and then to extort a ransom in bitcoins for retrieval of the encrypted information.

CTB_ransomware_1

In this post we will see how these campaigns spread a new variant of CTB-Locker Ransomware, causing headaches for thousands of users. Poland, Czech Republic and Mexico are the most affected, as we can see in the following graphic comparing percentages by country:

CTB_ransomware_2

This attack begins with a fake email arriving in the user’s inbox. The subject of the email pretends that the attachment is a fax; the file is detected by ESET as Win32/TrojanDownloader.Elenoocka.A.If you open this attachment and your antivirus software does not protect you, a variant of Win32/FileCoder.DA will be downloaded to your system: all your files will be encrypted and you will lose them forever, unless you pay a ransom in bitcoins to retrieve your information.

CTB_ransomware_3

Some variants of Win32/TrojanDownloader.Elenoocka.A connect to a remote URL to download malware detected by ESET as Win32/FileCoder.DA and known as CTB‑locker. This family of ransomware encrypts all files in a similar way to CryptoLocker.The main difference is that this family of malware uses another encryption algorithm, from which its name derives.

The result is similar to CryptoLocker or TorrentLocker, in that files with extensions such as mp4, .pem, .jpg, .doc, .cer, .db etc. are encrypted by a key, which makes it virtually impossible to recover the files.Once the malware has finished encrypting user information, it displays a warning and also changes the desktop background with a message similar to that seen in the image below:

CTB_ransomware_4

The message will be displayed in German, Dutch, Italian and English, so adapting itself to many regions. Even though Spanish is not is one of the languages used to display the ransom message, we have seen many infections in Spanish-speaking countries.

In order to reassure the users that they can recover their files once the payment is made, cybercriminals offer a demonstration of how it works, which you can see in the image below:

CTB_ransomware_5

CTB_ransomware_6

After the user views the demonstration, the attackers show how to unencrypt the files and where to send the bitcoins (BTC). They even offer a way to exchange bitcoins in case the user does not have them:

CTB_ransomware_7

Another peculiar detail of CTB-Locker is this: not only is the message shown to the user in different languages but it also displays the currency appropriate to that language. If the user chooses to view the message in English the price is in US dollars, otherwise the value will be in Euros. The ransom is 8 Bitcoins, which today (20 January 2015) have a value of around 1,680 dollars.

From the technical point of view, Win32 / TrojanDownloader.Elenoocka.A it’s a small and simple threat. There are many different campaigns going on, like the one we mentioned above and we also spotted another one that had following attached samples invoice_%YEAR_%MONTH_%DAY-1%HOUR_%MIN.scr  named  eg. invoice_2015_01_20-15_33 .scr. We have seen that recent samples have a random word in from, eg. stride_invoice_2015_01_20-15_33.scr, tiger_invoice_2015_01_20-15_38.scr etc. Afterwards, it opens an RTF decoy document in Word. This document is found in a resource named “DATA” inside a CAB archive.

It is true that the encryption technique used by CTB-Locker makes it impossible to recover files by analyzing the payload. However, there are certain safety measures that are recommended for users and companies:

  • If you have a security solution for mail servers, enable filtering by extension. This will help by allowing you to block malicious files with extensions such as .scr, as used by Win32 / TrojanDownloader.Elenoocka.A.
  • Avoid opening attachments in emails of dubious origin where the sender has not been identified.
  • Delete emails or mark them as spam to prevent other users or company employees being affected by these threats.
  • Keep security solutions updated to detect the latest threats that are spreading and keep ESET LiveGrid technology On.
  • Perform up-to-date backups of your information.

Mitigating such attacks is no simple task, and you need to take a proactive stance by supporting security technology with awareness and education. Following the tips above could help you and your company avoid this and similar threats.

Hashes:

  • 81F68349B12F22BEB8D4CF50EA54D854EAA39C89 Win32/FileCoder.DA
  • 0D4B6401EB5F89FF3A2CF7262872F6B3D903B737 Win32/FileCoder.DA
  • 1DA7B3538A1D8B89179E17E91C7061B19932BBC8 Win32/TrojanDownloader.Elenoocka.A
  • FE565E5589D496B838E037E99AA59E931129B7DA Win32/TrojanDownloader.Elenoocka.A
  • 576BCD87B7EC38DE302201EC460DB9C0819B473A Win32/TrojanDownloader.Elenoocka.A

by Pablo Ramos, ESET

Do you really need antivirus software for Linux desktops?

This is a shortened version of the article that appeared on ESET’s We Live Security. For the full article, go here.

It started, innocently enough, as a question asked in the ESET Security Forum titled “Eset – Do I Really Need Antivirus On My Linux Distros?” However, the answer to that seemingly simple question on Linux antivirus is more complex than a simple yes-or-no response.

That there’s far less malware for Linux than Windows is not in doubt: A search in ESET’s VirusRadar® threat encyclopedia reveals just a scant few thousand pieces of malicious software for Linux. While that may sound like a large number, ESET processes 250,000 malicious samples every day on average, releasing several thousand signatures for Windows-based malware every few days. And, of course, one should keep in mind that the term “signature” is itself very broad these days: A single signature may be able to detect multiple families of malware; while one family of malware may require tens of signatures to detect all known samples.

Yes, the threatscape out there is dominated by malware that targets Microsoft Windows, but as the world’s most-widely used desktop operating system, Windows is also the most heavily-targeted.

There are many reasons that Linux doesn’t have the same sorts of problem with malware that Windows has, ranging across differences in operating system security models, market fragmentation due to the multitude of distros, and its dearth of acceptance by everyday users as a desktop operating system.

But “few threats” does not mean “no threats at all.” And while some of the more rabid fanatics will point out that Linux doesn’t have a computer virus problem, neither does Windows today: Only about 5-10% of malware reported to ESET’s LiveGrid® threat telemetry system on a daily basis is viral in nature.

Over 99% of the malware observed by ESET on a daily basis is written for the sole purpose of supporting some kind of economically-motivated criminal activity, whether it be a  (Distributed Denial of Service) attack, identify theft, spam, or plain-old robbery, albeit through somewhat newfangled methods of stealing account and transaction credentials for various financial institutions and services.

However, this is not an article about Windows-borne malware, or, at least, that wasn’t the intended topic.  When it comes to Linux and how it fits into criminals’ online activity, the threatscape is a bit different.  Linux has long been a staple of the webhosting world, and if you peer into the silver lining of cloud computing, it often looks more like Tux than, say, Clippy on the inside.  This becomes even more apparent when you look at modern supercomputers:  In 2014’s TOP500 list, just two of the systems listed ran some version of Windows.

I would like to point out then that when I am discussing Linux, I’m referring to the various Linux distributions (or distros, for short) out there, not just the Linux kernel itself.  For that matter, it would be best to extend this concept to cover not just to the distro, but the stack of software that is running on top of it, whether it be a classic LAMP stack for serving up web pages or inside networking gear moving bytes around.

A large part of the Internet runs on Linux, often far away from public view in vast data centers.  Even when Linux is right in front of us, it is often invisible because it is running unnoticed on such devices as modems, routers and set top boxes.  I would like to focus first, though on those data centers.

Linux is very big…

So, what exactly is it that makes Linux ideal for data center environments?  Data centers consist of thousand, tens of thousands or even hundreds of thousands of servers, and managing that many computers rapidly becomes very challenging.  Licensing costs for server operating systems vary, but Linux distros essentially start at free, although enterprises often end up paying for documentation, support and maintenance, or the costs of devoting staff to customizing it as needed.

Likewise, Linux’s support of various network protocols, scripting languages and command shells—that support being typically more diverse than Windows, at least out of the box—means that it is comparatively easy and inexpensive to script management of systems.  And this tends to scale well.

And then there’s performance.  As one of the first operating systems to originate in the Internet era, and coming from an educational rather than commercial background, Linux was designed from the ground up to connect with other systems using standard protocols such as TCP/IP. Indeed, it took Microsoft Windows server operating systems years before they could match Linux in various raw network throughput tests.

…and Linux is very small

Just as Linux scales up to very large computers, it can also be tailored to run on very small devices.  Google’s Android, which largely powers the smartphone and tablet industries, is based on Linux.  You might find devices running Linux throughout your home:  In your family room, such devices as DVRs, media players, set-top boxes and the Smart TVs in your entertainment center might be running Linux, while the broadband modem and network router that connect everything to the Internet run Linux as well.  If smart, digitally-connected kitchen appliances take off, you may also be cooking with Linux one day.

Regardless of what these small devices around your home or office do, though, they have one thing in common:  They don’t look very much like traditional computers.  They don’t have keyboards, or even monitors (unless, perhaps, they are built into your monitor), and you probably access them remotely through your web browser so as to configure and manage them.  If they communicate with you at all, it is perhaps with an LED light or two to let you know they’re working.

The Linux Threatscape

So, what exactly are the threats facing Linux today?

Well, as previously mentioned, Linux usage tends to concentrate in two areas: The very large (data centers) and the very small (embedded in appliances and the like).  In the former case, unless you work around servers all day, you may not be aware of how Linux is behind many of the most popular web sites and relied-upon services we use every day.  And in the latter case, you may simply not be aware that your home router, DVR, set-top box or other “smart” home appliances are running some form of Linux.  Even though both of these cases are not what we traditionally what we think of as “desktops,” it does not mean they are immune to the same kinds of threats, either.

Hosted Linux servers in data centers have long been a part of the malware ecosystem, although probably not in the way most people think of it.   There are many web site hosting companies out there that run outdated, insecure software and have poor system management practices.  They often end up hosting command-and-control servers used by Windows-based malware to phone home for updates and instructions, serve as drop zones used by malware to store stolen information en route to the criminals who have stolen it, and so forth.

Earlier this year, ESET’s researchers uncovered Operation Windigo, an attack mostly targeting Linux servers (some *BSD, Mac OS X Server and even a few Windows servers were also affected), that over the last two years affected over 25,000 servers.  At first glance, 25,000 systems may not seem like a large number, given that many botnets scale to ten or thirty times that size, but when you consider that a single server might host tens, hundreds or even thousands of web sites, the actual number of end users affected by the attack was very large, indeed.

A true anecdote from my own experiences:  A web forum on which I am active was affected by the Windigo campaign for many months.  When I notified the site administrator that I was seeing attempts to pop up advertisements for pornography being blocked by my security software, he told me to check my Windows-based PC for viruses.  It was only several months later that the hosting provider for the forum—a large web host known more for their wallet-friendly pricing than for support or security—admitted that the server on which the site was running had been compromised for the better part of a year.

At the other end of the computing spectrum, we have all of those appliances with computers embedded in them running some version of Linux.  These include devices you might not necessarily think of as computers, such as Smart TVs and DVRs, as well as devices to which you may connect your computer, but do not necessarily think of as having a discrete operating system in them, such as routers, printers, NAS and so forth.  We have seen numerous Smart TVs from companies such as Samsung, Philips and LG that can be taken over remotely, might spy on their users’ viewing habits, or even on the users themselves via built-in webcams.  And there are also worms like RBrute, which modified routers’ DNS settings in order to inject ads, steal credentials and redirect search results.

Threats on the Desktop

Just as the threats targeting Linux servers are very different from those faced by embedded systems, the kinds of attacks on Linux desktops tend to vary as well.

The first thing to understand about attacks on Linux desktops is that these systems are rarely infected by malware such as worms, trojans, viruses and so forth.  While this is partially due to Linux’s security model, the greater reason for this is simply the lack of market penetration by Linux in the desktop space.

These days, malware is used almost exclusively for financial gain by criminals.  In fact, this is so often the case these days that when malware is written for some other purpose, it becomes newsworthy simply for that reason alone.  Case in point:  Win32/Zimuse.  When we do see malware specifically for Linux, it often seems to be written either as a proof of concept or for other research purposes, and is rarely found in the wild on customers’ computers.

This, however, does not mean that Linux is immune to malicious software, especially when it comes to cross-platform threats.  HTML, Java, JavaScript, PDF (Portable Document Format), Perl, php, Ruby and even SWF (Adobe Flash) are all frameworks or languages that are supported under Linux, and these can be just as easily targeted under Linux as under Windows or Mac OS X, although the underlying operating system may still be more difficult to exploit.  Still, having anti-malware software installed means you can receive warning of potential threats.

Likewise, it is not unusual for Linux users to receive file attachments via email, or to be on networks with file shares, both of which can serve as vectors of malware, even if they only target Microsoft Windows.  And, of course, if a Linux-specific worm such as Linux/Ramen was spreading across the network, one would want to protect one’s desktop from it.  But even if the only malware on the network is targeting Windows, having anti-malware software installed can serve as a kind of “early warning” system to notify Linux desktop users that they are connected to an infected network.

As another anecdote, a friend of mine, whom I will call Richard, does exactly this.  A technical writer by vocation, he switched to a Linux-only environment after some bad experiences with Windows Vista.  Richard does maintain an isolated Windows XP system for occasions when he must do something in Windows that cannot be done under Linux, but, regardless of the operating system, all of his computers run anti-malware software.  When people at his office accidentally send an infected file to his Linux desktop, he lets them know in the kind of clear, concise and unambiguous terms used by professional wordslingers.

Closing Thoughts

While Linux desktop systems are not magically immune to malware, they are not saturated with it either, especially in comparison to their Windows brethren.  But, as both Operation Windigo and the escalating increase in Android malware have shown us, wherever a particular platform finds success, criminal elements are not far behind.  While Linux on the desktop remains comparatively malware free today, that may not be the case in the future.  Whether it’s a requirement for compliance reasons, or simply a desire to have an ounce of prevention, anti-malware on the Linux desktop can act as a form of insurance against future attacks.

by Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher

Swiss bank data released by hackers

The Swiss state owned Banque Cantonale de Geneve has confirmed that hackers have released confidential customer correspondences after the bank refused to pay the ransom demanded by the attackers, reports Tech Week Europe.

The hack, which was revealed on the Twitter account of the hacking person(s) involved involved the theft of over 30,000 emails between the bank and its clients, both domestic and international.

The bank revealed the leak just hours after the ultimatum deadline from the hackers had passed, claiming it preferred “the path of transparency” to blackmail. Bloomberg states that the demand was for “$12,000 at current exchange rates.”

Reuters reports that “the hacker played on Swiss banks’ reputation for helping clients conceal information from tax authorities”, with the following statement tweeted from its Twitter account: “We would like to wish a merry tax audit to all the non-Swiss account holders listed in the BCGE files.” The account has since sent out a further 60 messages which ranged from criticizing the bank to taunting their clients it claims are at risk.

Banque Cantonale de Geneve, for its part, denies that there is any need to worry and issued a statement saying it represented “no particular financial risk for clients or the bank.”

It continued: “At first analysis, this information is hardly critical, is obsolete or corresponds to foreseen contents about which it has already informed a significant number of clients concerned.”

A spokesperson for Banque Cantonale de Geneve added to Reuters that the 30,192 emails intercepted had all been published, and that all the information leaked was client inquiries sent over the internet. None of it involved accounts, which require several passwords or codes to access, she claimed.

by Alan Martin, ESET

Monthly Threat Report: December 2014

Top_10_ELG_dic_14_1200x627eng

The Top Ten Threats

1. HTML/Refresh
Previous Ranking: 1
Percentage Detected: 2.82%

HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

2. Win32/Bundpil
Previous Ranking: 2
Percentage Detected: 2.54%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP protocol is used for comunication with the C&C to receive new commands. The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

3. Win32/Adware.MultiPlug
Previous Ranking: 3
Percentage Detected: 2.39%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

4. Win32/TrojanDownloader.Wauchos
Previous Ranking: 4
Percentage Detected: 1.87%

It is a trojan which tries to download other malware from the Internet. It collects information about the operating system, settings and the computer IP address. Then, attempts to send gathered information to a remote machine. It can download files from a remote computer and/or the Internet, run executable files, create Registry entries and remove itself from the infected computer.

5. Win32/Sality
Previous Ranking: 5
Percentage Detected: 1.39%

Sality is a polymorphic file infector. When executed it starts a service and created/deleted registry keys related to security applications activite in the system and to ensure that the malicious process restarts at each reboot of operating system.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah.

6. LNK/Agent.AK
Previous Ranking: 6
Percentage Detected: 1.31%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.

7. INF/Autorun
Previous Ranking: 8
Percentage Detected: 1.22%

INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.

8. LNK/Agent.AV
Previous Ranking: N/A
Percentage Detected: 1.21%

LNK/Agent.AV is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

9. JS/Kryptik.ATB
Previous Ranking: N/A
Percentage Detected: 1.19%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

10. Win32/Ramnit
Previous Ranking: 9
Percentage Detected: 1.18%

This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe executable files and also searches htm and html files so as to insert malicious instructions into them. It exploits a vulnerability found on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remoteley to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

US military’s Twitter account hacked

Guess who hasn’t been using two factor authentication to protect its social media accounts?

Twitter and YouTube accounts belonging to Central Command – the group responsible for United States’ military operations in the Middle East – were hijacked yesterday by hackers claiming to back Islamic State.

In a series of messages posted on the @CENTCOM Twitter account , the pro-ISIS hackers claimed to have broken into US military networks and stolen information.

Central Command hack

For some time, anyone on Twitter could read bizarre messages on the @CENTCOM account including “I love you ISIS”.

It’s bad enough having your social media accounts compromised, of course, but then the hackers began to post what they claimed were leaked military documents.

Centcom tweet

Central Command hack

And it wasn’t just Central Command’s Twitter account that was being abused. Its YouTube channel had also been broken into, with the hackers uploading videos and changing images:

Central Command YouTube hack

In less than an hour, Twitter had suspended the compromised account.

Of course, there is a vast difference between hacking into a sensitive military network and compromising a handful of social media accounts.

In a press statement, CENTCOM was at pains to point out that it did not believe that any sensitive information had been posted to the accounts, and that its own servers had not been hacked:

U.S. Central Command’s Twitter and YouTube sites were compromised for approximately 30 minutes. These sites reside on commercial, non-Defense Department servers and both sites have been temporarily taken offline while we look into the incident further. CENTCOM’s operational military networks were not compromised and there was no operational impact to U.S. Central Command. CENTCOM will restore service to its Twitter and YouTube accounts as quickly as possible. We are viewing this purely as a case of cybervandalism.

In the meantime, our initial assessment is that no classified information was posted and that none of the information posted came from CENTCOM’s server or social media sites. Additionally, we are notifying appropriate DoD and law enforcement authorities about the potential release of personally identifiable information and will take appropriate steps to ensure any individuals potentially affected are notified as quickly as possible.

Precisely how the accounts were hacked isn’t clear. It’s possible that keylogging malware which infected Central Command’s social media team managed to grab their passwords or that a hack of a military computer revealed a document containing the passwords, but it’s perhaps more likely that a member of the team was phished or made the mistake of using an easy-to-guess password or reusing the same password on more than one site.

None of this would have allowed the hackers to gain access to the Twitter and YouTube accounts though if two factor authentication (2FA) had been enabled.

Twitter’s 2FA (known as login verification) requires users to not only give a username and password to connect to the site, but also requires users to enter a one-time-password which is either sent to them an SMS message to their mobile phone, or via a smartphone app like Google Authenticator.

The principle is that even if a hacker comes to learn your password, chances are that they don’t have access to your mobile phone and so will still not able to access your account.

YouTube, like other Google services, also has two-factor authentication (although they call it two-step verification) which works in a similar way.

Frankly, you’re playing a dangerous game if you run social media accounts and aren’t using some form of 2FA to protect them – especially if the accounts represent an organisation or brand where reputational damage is possible.

by Graham Cluley, We Live Security

How was Microsoft Windows exploited in 2014?

Today, we published our research about Windows exploitation in 2014. This report contains interesting information about vulnerabilities in Microsoft Windows and Office patched over the course of the year, drive-by download attacks and mitigation techniques.

The report includes the following information.

  • Vulnerabilities discovered and patched in Microsoft Windows and Office.
  • Statistics about patched vulnerabilities and how they compare with 2013’s statistics.
  • Detailed descriptions of actual exploitation vectors.
  • Vulnerabilities that were exploited in the wild, including a specific table showing ASLR bypass vulnerabilities.
  • Exploitation methods and mitigation techniques for Microsoft’s Internet Explorer web browser (IE).

Last year we saw many exploits that were used for drive-by download attacks. Such attacks are used for silently installing malware. Our report contains detailed information about the nature of drive-by download attacks and how Internet Explorer was improved by Microsoft so that such attacks were mitigated by default.

In the first figure below you can see that Microsoft fixed most of the vulnerabilities in Internet Explorer. Almost all of them belong to the Remote Code Execution type, that is, they can be used to implement drive-by download attacks. This figure includes information about vulnerabilities in Internet Explorer, the Windows GUI subsystem driver, kernel mode drivers, .NET Framework, Windows user mode components and Office.

windows exploitation 1

We can see that a great number of vulnerabilities in the web-browser Internet Explorer have been closed in 2014. Almost all of these vulnerabilities were of the “Remote Code Execution” (RCE) type. This meant that an attacker could execute code remotely in a vulnerable environment, with the help of a specially-crafted web page. Such a web pages could contain special code, called an exploit, to trigger a specific vulnerability. Usually attackers use such exploits for silently installing malware when they detect a vulnerable Windows version. This attack is an example of a drive-by download and this is why we highlighted such exploitations as a major trend in attacks on Internet Explorer, as shown in the Figure below:

windows exploitation 2
Our report includes a specific section describing mitigation techniques that were introduced by Microsoft in the last year. This section covers Windows, Internet Explorer and the EMET tool. Such security features address several types of attack surface. For example, a feature introduced for IE called Out-of-date ActiveX control blocking is useful for blocking all exploits based on vulnerabilities in old versions of Oracle’s Java plugin.

We also look at Local Privilege Escalation (LPE) attacks that are used by attackers for bypassing the browser’s sandbox or to run unauthorized code introduced by malware in kernel mode. In the last year Microsoft addressed a much smaller number of vulnerabilities for win32k.sys than it did in 2013. Unfortunately, today this driver is a major source of such vulnerabilities and often used by attackers.

Bitstamp hacked for $5 million in Bitcoin

19,000 Bitcoin – valued at around $275 each, so $5 million together – have been stolen from a majour European Bitcoin exchange, reports RT.

Bitstamp, a four year old company based in the UK and Slovenia is described by the Financial Times as “the world’s third busiest Bitcoin exchange”. It immediately took action, halting withdrawals and advising customers not to make any deposits until operations return to normal. At the time of writing, the exchange is still down.

Bitstamp’s chief executive and co-founder Nejc Kodrič stated on Twitter that the majority of the exchange’s Bitcoin are held in ‘cold storage’ – meaning that they are on computers not connected to the internet to prevent cyberattacks.

CNN’s money channel describes the 19,000 Bitcoin as a “fraction of” the firm’s total reserves, and that all balances would be repaid in full.

In a statement issued on the Bitstamp website, the company explained that the website is down until they “transfer a secure backup of the Bitstamp site onto a new safe environment.”

“On January 4th, some of Bitstamp’s operational wallets were compromised, resulting in a loss of less than 19,000 BTC. Upon learning of the breach, we immediately notified all customers that they should no longer make deposits to previously issued bitcoin deposit addresses,” the company explained. “As an additional security measure, we suspended our systems while we fully investigate the incident and actively engage with law enforcement officials.”

The company went on to promise that the site will be online again “in the coming days”, and that customers can stay abreast of the situation through their Twitter account, and via their own customer support.

Follow

Get every new post delivered to your Inbox.

Join 80 other followers