{
	"id": "05c7643d-166d-47ec-85aa-beec2d5c13dc",
	"created_at": "2026-04-06T00:22:33.607456Z",
	"updated_at": "2026-04-10T03:31:40.476038Z",
	"deleted_at": null,
	"sha1_hash": "2dfd3e299eefcc1a25d3fabf42b1ee1fb266c833",
	"title": "Customer Care Giant TTEC Hit By Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 331483,
	"plain_text": "Customer Care Giant TTEC Hit By Ransomware\r\nPublished: 2021-09-24 · Archived: 2026-04-05 16:35:23 UTC\r\nTTEC, [NASDAQ: TTEC], a company used by some of the world’s largest brands to help manage customer\r\nsupport and sales online and over the phone, is dealing with disruptions from a network security incident resulting\r\nfrom a ransomware attack, KrebsOnSecurity has learned.\r\nWhile many companies have been laying off or furloughing workers in response to the Coronavirus pandemic,\r\nTTEC has been massively hiring. Formerly TeleTech Holdings Inc., Englewood, Co.-based TTEC now has nearly\r\n60,000 employees, most of whom work from home and answer customer support calls on behalf of a large number\r\nof name-brand companies, like Bank of America, Best Buy, Credit Karma, Dish Network, Kaiser\r\nPermanente, USAA and Verizon.\r\nOn Sept. 14, KrebsOnSecurity heard from a reader who passed on an internal message apparently sent by TTEC to\r\ncertain employees regarding the status of a widespread system outage that began on Sunday, Sept. 12.\r\n“We’re continuing to address the system outage impacting access to the network, applications and customer\r\nsupport,” reads an internal message sent by TTEC to certain employees.\r\nTTEC has not responded to requests for comment. A phone call placed to the media contact number listed on an\r\nAugust 2021 TTEC earnings release produced a message saying it was a non-working number.\r\n[Update, 6:20 p.m. ET: TTEC confirmed a ransomware attack. See the update at the end of this piece for their\r\nstatement]\r\nhttps://krebsonsecurity.com/2021/09/customer-care-giant-ttec-hit-by-ransomware/\r\nPage 1 of 3\n\nTTEC’s own message to employees suggests the company’s network may have been hit by the ransomware group\r\n“Ragnar Locker,” (or else by a rival ransomware gang pretending to be Ragnar). The message urged employees to\r\navoid clicking on a file that suddenly may have appeared in their Windows start menu called “!RA!G!N!A!R!”\r\n“DO NOT click on this file,” the notice read. “It’s a nuisance message file and we’re working on removing it from\r\nour systems.”\r\nRagnar Locker is an aggressive ransomware group that typically demands millions of dollars worth of\r\ncryptocurrency in ransom payments. In an announcement published on the group’s darknet leak site this week, the\r\ngroup threatened to publish the full data of victims who seek help from law enforcement and investigative\r\nagencies following a ransomware attack.\r\nOne of the messages texted to TTEC employees included a link to a Zoom videoconference line at ttec.zoom.us.\r\nClicking that link opened a Zoom session in which multiple TTEC employees who were sharing their screens took\r\nturns using the company’s Global Service Desk, an internal TTEC system for tracking customer support tickets.\r\nThe TTEC employees appear to be using the Zoom conference line to report the status of various customer\r\nsupport teams, most of which are reporting “unable to work” at the moment.\r\nFor example, TTEC’s Service Desk reports that hundreds of TTEC employees assigned to work with Bank of\r\nAmerica’s prepaid services are unable to work because they can’t remotely connect to TTEC’s customer service\r\ntools. More than 1,000 TTEC employees are currently unable to do their normal customer support work for\r\nVerizon, according to the Service Desk data. Hundreds of employees assigned to handle calls for Kaiser\r\nPermanente also are unable to work.\r\n“They’ve been radio silent all week except to notify employees to take another day off,” said the source who\r\npassed on the TTEC messages, who spoke to KrebsOnSecurity on condition of anonymity. “As far as I know, all\r\nlow-level employees have another day off today.”\r\nThe extent and severity of the incident at TTEC remains unknown. It is common for companies to disconnect\r\ncritical systems in the event of a network intrusion, as part of a larger effort to stop the badness from spreading\r\nhttps://krebsonsecurity.com/2021/09/customer-care-giant-ttec-hit-by-ransomware/\r\nPage 2 of 3\n\nelsewhere. Sometimes disconnecting everything actually does help, or at least helps to keep the attack from\r\nspreading to partner networks. But it is those same connections to partner companies that raises concern in the\r\ncase of TTEC’s ongoing outage.\r\nIn the meantime, if you’re unlucky enough to need to make a customer service call today, there’s a better-than-even chance you will experience….wait for it…longer-than-usual hold times.\r\nThis is a developing story. Further details or updates will be noted here with a date and time stamp.\r\nUpdate, 5:37 p.m. ET: TTEC responded with the following statement:\r\nTTEC is committed to cyber security, and to protecting the integrity of our clients’ systems and data.\r\nWe recently became aware of a cybersecurity incident that has affected certain TTEC systems. \r\nAlthough as a result of the  incident, some of our data was encrypted and business activities at several\r\nfacilities have been temporarily disrupted, the company continuous to serve its global clients. TTEC\r\nimmediately activated its information security incident response business continuity protocols, isolated\r\nthe systems involved, and took other appropriate measures to contain the incident. We are now in the\r\nprocess of  carefully and deliberately restoring the systems that have been involved.\r\nWe also launched an investigation, typical under the circumstances, to determine the potential impacts. \r\nIn serving our clients TTEC, generally, does not maintain our clients’ data, and the investigation to date\r\nhas not identified compromise to clients’ data. That investigation is on-going and we will take\r\nadditional action, as appropriate, based on the investigation’s results. This is all the information we have\r\nto share until our investigation is complete.\r\nSource: https://krebsonsecurity.com/2021/09/customer-care-giant-ttec-hit-by-ransomware/\r\nhttps://krebsonsecurity.com/2021/09/customer-care-giant-ttec-hit-by-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://krebsonsecurity.com/2021/09/customer-care-giant-ttec-hit-by-ransomware/"
	],
	"report_names": [
		"customer-care-giant-ttec-hit-by-ransomware"
	],
	"threat_actors": [
		{
			"id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf",
			"created_at": "2024-01-18T02:02:34.189827Z",
			"updated_at": "2026-04-10T02:00:04.721082Z",
			"deleted_at": null,
			"main_name": "HomeLand Justice",
			"aliases": [
				"Banished Kitten",
				"Karma",
				"Red Sandstorm",
				"Storm-0842",
				"Void Manticore"
			],
			"source_name": "ETDA:HomeLand Justice",
			"tools": [
				"BABYWIPER",
				"BiBi Wiper",
				"BiBi-Linux Wiper",
				"BiBi-Windows Wiper",
				"Cl Wiper",
				"LowEraser",
				"No-Justice Wiper",
				"Plink",
				"PuTTY Link",
				"RevSocks",
				"W2K Res Kit"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434953,
	"ts_updated_at": 1775791900,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2dfd3e299eefcc1a25d3fabf42b1ee1fb266c833.pdf",
		"text": "https://archive.orkl.eu/2dfd3e299eefcc1a25d3fabf42b1ee1fb266c833.txt",
		"img": "https://archive.orkl.eu/2dfd3e299eefcc1a25d3fabf42b1ee1fb266c833.jpg"
	}
}