December 10, 2020

Payment card processing giant TSYS suffered a ransomware attack earlier this month. Since then reams of data stolen from the company have been posted online, with the attackers promising to publish more in the coming days. But the company says the malware did not jeopardize card data, and that the incident was limited to administrative areas of its business.

Headquartered in Columbus, Ga., Total System Services Inc. (TSYS) is the third-largest third-party payment processor for financial institutions in North America, and a major processor in Europe.

TSYS provides payment processing services, merchant services and other payment solutions, including prepaid debit cards and payroll cards. In 2019, TSYS was acquired by financial services firm Global Payments Inc. [NYSE:GPN].

On December 8, the cybercriminal gang responsible for deploying the Conti ransomware strain (also known as “Ryuk“) published more than 10 gigabytes of data that it claimed to have removed from TSYS’s networks.

Conti is one of several cybercriminal groups that maintains a blog which publishes data stolen from victims in a bid to force the negotiation of ransom payments. The gang claims the data published so far represents just 15 percent of the information it offloaded from TSYS before detonating its ransomware inside the company.

In a written response to requests for comment, TSYS said the attack did not affect systems that handle payment card processing.

“We experienced a ransomware attack involving systems that support certain corporate back office functions of a legacy TSYS merchant business,” TSYS said. “We immediately contained the suspicious activity and the business is operating normally.”

According to Conti, the “legacy” TSYS business unit hit was Cayan, an entity acquired by TSYS in 2018 that enables payments in physical stores and mobile locations, as well as e-commerce.

Conti claims prepaid card data was compromised, but TSYS says this is not the case.

“Transaction processing is conducted on separate systems, has continued without interruption and no card data was impacted,” the statement continued. “We regret any inconvenience this issue may have caused. This matter is immaterial to the company.”

TSYS declined to say whether it paid any ransom. But according to Fabian Wosar, chief technology officer at computer security firm Emsisoft, Conti typically only publishes data from victims that refuse to negotiate a ransom payment.

Some ransomware groups have shifted to demanding two separate ransom payments; one to secure a digital key that unlocks access to servers and computers held hostage by the ransomware, and a second in return for a promise not to publish or sell any stolen data. However, Conti so far has not adopted the latter tactic, Wosar said.

“Conti almost always does steal data, but we haven’t seen them negotiating for leaks and keys separately,” he explained. “For the negotiations we have seen it has always been one price for everything (keys, deletion of data, no leaks etc.).”

According to a report released last month by the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium aimed at fighting cyber threats, the banking industry remains a primary target of ransomware groups. FS-ISAC said at least eight financial institutions were hit with ransomware attacks in the previous four months. The report notes that by a wide margin, Ryuk continues to be the most prolific ransomware threat targeting financial services firms.


19 thoughts on “Payment Processing Giant TSYS: Ransomware Incident “Immaterial” to Company

  1. Mike Cook

    Brian: Have you examined any of the information Conti has released to confirm or contradict TSYS’s statements?

    Thank you.

  2. JCitizen

    Well that’s some chutzpah!

    “Immaterial” –

    First new excuse I’ve ever heard for an attack response!!

    1. People

      World are wise enough now days that we dont belive just anything but upon proof.
      People getting wise everyday

      1. Ol' Farty

        They’re making a specific claim. Address it specifically.

        Their more critical ‘entire’ db’s were not compromised, just some marketing subset, according to them. Do we have reason to not believe that is the case, or that this would be a useful lie should the thieves post further data? It’s very debunkable.

        There’s an easy trend to pretending everyone is always lying.
        In the Trump era. Somehow. For some reason… ses.

        1. Ol' Farty

          “Conti typically only publishes data from victims that refuse to negotiate a ransom payment.” Then again, still guessing.
          Until someone looks externally, which I would assume happens.

        2. Pete

          Well, there are two sides to every coin. Your side which continues to be lead to the slaughter, and ours that has had the long term scales of corruption be removed. You blame President Trump and we thank him.

  3. Im5th

    Im 5th here….
    Btw… How we know they payed for ransome?
    Maybe they try to hide their money I definately would send FBI IN the company to do some employes Investigation… definately

  4. Charlie

    Is it really “targeting” financial services if other verticals, including healthcare, are sent Ryuk campaigns too? I just feel that Ryuk is so widespread, it hits everyone the most as far as ransomware goes, including FIs. More a question of semantics, but I’ve always been careful with using the term “targeted”. Curious what Brian thinks!

  5. John

    It is reported that Dominion Voting Systems uses SolarWinds products. But, hey, this was the MOST SECURE ELECTION EVER! Krebs says so. It MUST be true!

    1. Me

      Oh so those “usb ports” being passed around “like vials of heroin” had malicious versions of SolarWinds on them.. got it!

    2. Dan B.

      1 for 59 in court. It would be hilarious if it wasn’t so pathetic and embarrassing.

  6. alaskasworld

    Did you have a fix on this issue? I have the same problem with Facing same issue but no response from anyone and couldnt find this topic troubleshooting in google.

Comments are closed.