Egyptian E-Payment Vendor Recovering From LockBit Ransomware Attack

The LockBit 3.0 ransomware group successfully encrypted files and also allegedly exfiltrated data from Egyptian e-payment provider Fawry.

Word of the breach went public when LockBit published on its dedicated leak site on Nov. 8 a sample of data that was allegedly stolen during the breach of Fawry’s infrastructure. The following day, cybersecurity monitoring platform Hackmanac claimed that the LockBit 3.0 ransomware attack had extracted the personal details of Fawry customers, leading to multiple banks advising customers to remove their account information from Fawry’s platform. 

Hit Files and Data

In a statement this week about the attack, Fawry said: “Fawry remains confident that this data will not impact financial transactions on its platform, but the company believes it may have included the personal details of some customers whose information had been on the testing platform as part of a system migration project.” It also confirmed that some of the leaked details include addresses, phone numbers, and dates of birth.

Group-IB was called in to investigate the incident on Nov. 9, and over three days, it deployed “proprietary advanced cybersecurity solutions across 100% of Fawry’s server infrastructure,” declaring the production and testing environments to be “clean as of Nov. 23 of LockBit presence.”

Anurag Gurtu, CPO and co-founder of StrikeReady, says the Fawry cyberattack is notable for several reasons, including that the breach occurred in an isolated part of Fawry’s network.

He describes Fawry’s response to the breach as “proactive” given that it employed a cybersecurity firm to investigate the attack. Gurtu recommends that other financial services entities consider the impact of this incident, and for them to take “precautionary measures to protect against potential data misuse.”

However, Sumatra Sarkar, associate professor at the School of Management at Binghamton State University of New York, criticized Group-IB and Fawry for the “limited information” released, making it “challenging to assess the adequacy of the response to the incident.”