PrimeXM explains how it dealt with ransomware attack

Rick Steves

The FX technology provider has shared the sequence of events in regard to the attack on parts of its hosting infrastructure.

PrimeXM has confirmed parts of its hosting infrastructure were attacked last Thursday, December 9, and less than 3% of Hosted Clients experienced any impact on their trading operations.

The FX technology provider refused to negotiate with the attackers nor has met any of their demands, the firm said in an official statement.

Threat has been dealt with

The provider of FX aggregation software, ultra-low-latency connectivity, institutional grade hosting solutions, MT4/MT5 Bridging and White Labels experienced its most vulnerable moment to date.

The firm says it has been able to handle the threat and promises to continue to provide updates ASAP and always remain transparent about it.

According to PrimeXM, the security of its internal systems, including XCore trading infrastructure, was not compromised or suffered any interruptions at any point.

“Finally, we want to sincerely apologize for any inconvenience this event might have caused to our customers. We will continue to increase in-house expertise and work closely with our Cybersecurity partners to improve the security of our hosted systems.”

Sequence of events

Below is the sequence of events in regards to the recent attack:

Thursday 18:50: A client reports inability to restart his MT5 History Server.

Thursday 20:40: A client reports that a ransomware attack on his server has been blocked by his antivirus.

Thursday 22:10: Several clients report switching to their failovers after experiencing issues with their primary MT4/5 servers after EOD restart.

Thursday 22:40: PrimeXM Support escalates to PrimeXM Networks for further investigation.

Thursday 22:50: PrimeXM Network escalates to PrimeXM Systems for further investigation.

Thursday 23:00: PrimeXM Systems investigates and identifies a ransomware attack by Atom Silo.

Thursday 23:15: PrimeXM Systems deploys a decryptor tool from AVAST to affected clients with decryption success rates between 5-20%.

Friday 00:15: PrimeXM Systems identifies the attack has spread to wider parts of PrimeXMs hosting infrastructure and escalates to management.

Friday 01:30: PrimeXM identifies that the attack can only disrupt client’s live trading by encrypting essential files if the MT4/5 servers are stopped or during restart.

Friday 02:30: PrimeXM issues a statement to all clients informing them of the ongoing attack. PrimeXM advises clients not to restart their MT4/5 servers and to verify their failover infrastructure is operational.

Friday 02:40: PrimeXM attempts to engage with various third party cybersecurity firms.

Friday 05:45: PrimeXM establishes a channel of communication to a Forensic and Malware Analyst who developed the core algorithm of AVASTs decryptor tool.

Friday 06:10: PrimeXM establishes a channel of communication to the cybersecurity firm, QSecure.

Friday 06:40: QSecure engages Deloitte Cyber Forensics.

Friday 08:00: PrimeXM calls clients and continues to do so throughout the day to ensure they are aware of the statement sent earlier around 02:30.

Friday 08:00: PrimeXM identifies and disables the entry point of the attacker. The entry point was a compromised web interface of the monitoring system ZABBIX.

Friday 10:30: QSecure in collaboration with Deloitte Cyber Forensics join PrimeXM engineers onsite and begin work on analyzing the ransomware itself as well as the attack.

Friday 14:30: Preliminary evidence gathered by the forensic teams by analysing the ransomware as well as network activity does not suggest there was either a data breach or backdoor present.

Friday 18:20: PrimeXM and QSecure start collaborating with the Forensic and Malware Analyst and provide data to improve the success rate of the decryption algorithm.

Saturday 00:30: PrimeXM advises clients to switch to their MT4/5 failover Infrastructure.  For clients hosting their failover with PrimeXM, PrimeXM provides assistance and new servers to migrate to.

Saturday 06:00: PrimeXM reaches out to clients to commence the migration of MT4/5 failovers.Failover migration continues through Saturday and Sunday.

Saturday 07:30: PrimeXM receives an updated version of the decryption algorithm.

Saturday 08:00: PrimeXM receives the source code of the decryption algorithm.

Sunday 17:00: QSecure and Deloitte Cyber Forensics confirm that based on their evidence there was no data breach or backdoor present in the malware.

Sunday 18:00: PrimeXM improved the decryption algorithm and added brute force capabilities now reaching decryption rates of close to 100%. PrimeXM assists clients to decrypt files.

Read this next

Fintech, Uncategorized

BitMEX integrates HALO from Solidus Labs for cross-market surveillance

““The recent approval of the Spot Bitcoin ETF has piqued the market’s interest. As a result of price volatility, the trading volumes for crypto derivatives have gone up substantially. HALO, with its advanced technology and crypto-native detection architecture, will enable BitMEX to smoothly and safely scale trade surveillance across its increased trading volumes and provide the necessary safeguards for new product launches.”

Industry News

Horizon Software rebrands to Horizon Trading Solutions

“Horizon Trading Solutions has seen accelerated global growth over the past year to meet the rising demand for our trading solutions and built-for-purpose technology offering. The choice to rebrand represents a key part of this development, while maintaining our heritage and history in the industry.”

Market News

USDJPY has surged to levels last witnessed in 2022. Should we consider opening a short position?

The recent resurgence of the US dollar has propelled USD/JPY to new heights, touching levels not seen since 2022. This surge comes against the backdrop of stable short-term yields and ongoing economic data that fails to signal a significant slowdown, prompting questions about the extent of current monetary easing measures.

Digital Assets

DED Trends on Twitter After Memecoin Snapshot Announcement

Polkadot-backed community coin #DED, made it to the trending charts on X, demonstrating community’s engagement and interest behind the memecoin. 

Digital Assets

BlockDAG Presale Nears $10 Million Amid Toncoin’s Momentum, Green Bitcoin’s Presale, and the Rise of Other Top Cryptos

This article will examine three top trending topics: Toncoin’s potential, Green Bitcoin’s innovative presale, and BlockDAG’s sustainable mining approach. These cryptocurrencies take centre stage for their uniqueness and innovation.

Digital Assets

Coinbase scores minor victory vs SEC, but lawsuit to proceed

A federal judge in Manhattan, U.S. District Judge Katherine Polk Failla, ruled on Wednesday that the U.S. Securities and Exchange Commission’s (SEC) lawsuit against Coinbase can largely proceed.

Web3

COTI Teams Up with Civic for Enhanced Digital Identity Control

СOTI and Civic are teaming up to enhance digital identity security in Web3, aiming to provide users with more control over their digital selves through innovative technology.

Digital Assets

BlockDAG Takes on Chainlink (LINK) Crypto, and RON With DeFi Card and 5000x Profit Potential

Explore BlockDAG’s innovative DeFi card, which transforms cryptocurrency into spendable cash, alongside Chainlink (LINK) crypto and Ronin’s advancements.

Digital Assets

Court finally decides on Sam Bankman-Fried sentence, experts predict 20 years

Sam Bankman-Fried, the former CEO of the now-defunct cryptocurrency exchange FTX, is set to face sentencing on Thursday in a pivotal moment that could see the entrepreneur beginning a lengthy period in federal prison.

<