Argentina’s official immigration agency, Dirección Nacional de Migraciones, was hit by a Netwalker ransomware attack that caused the interruption of the border crossing into and out of the country for four hours.
The ransomware operators also exfiltrated sensitive data from the agencies as reported by local media.
“A group of hackers entered the database of the National Directorate of Migration in the middle of the coronavirus pandemic, stole information and asks for a millionaire ransom to return the files , according to the body itself through its attorney, María Eugenia Lachalde” reported Infobae.
According to a criminal complaint published by Argentina’s Unidad Fiscal Especializada en Ciberdelincuencia, the agency started receiving numerous tech support calls from checkpoints at approximately 7 AM on August 27th.
In response to the infection, Argentina’s official immigration agency shut down its network to prevent the ransomware from spreading to other systems.
“Being approximately 7 a.m. of the day indicated in the paragraph above, the Directorate of Technology and Communications under the Directorate General Information Systems and Technologies of this Organization received numerous calls from various checkpoints requesting technical support.” reads the criminal complaint.
“This realized that it was not an ordinary situation, so it was evaluated the situation of the infrastructure of the Central Data Center and Servers Distributed, noting activity of a virus that had affected the systems MS Windows based files (ADAD SYSVOL and SYSTEM CENTER DPM mainly) and Microsoft Office files (Word, Excel, etc.) existing in users’ jobs and shared folders,”
The shut down of the network led to a temporary suspension of border crossings for four hours.
“The National Directorate of Migration (DNM), dependent on the Ministry of the Interior, reports that it managed to contain an attempted cyberattack on the body, which caused the fall of services, which are being gradually restored.” reads the advisory published by the National Directorate of Migration (DNM).
“The Integral System of Migratory Capture (SICaM) that operates in the international crossings was particularly affected, which caused delays in the entry and exit to the national territory.”
Government sources confirmed that they will not pay the ransom and will not negotiate with Netwalker ransomware operators which demand a $4 million ransom.
According to BleepingComputer, Netwalker ransomware operators initially demanded a $2 million ransom, the amount doubled after seven days passed.
Recently the FBI has issued a security alert about Netwalker ransomware attacks targeting U.S. and foreign government organizations.
The feds are recommending victims, not to pay the ransom and reporting incidents to their local FBI field offices.
The flash alert also includes indicators of compromise for the Netwalker ransomware along with mitigations.
The Netwalker ransomware operators have been very active since March and also took advantage of the ongoing COVID-19 outbreak to target organizations.
The threat actors initially leveraged phishing emails delivering a Visual Basic Scripting (VBS) loader, but since April 2020, Netwalker ransomware operators began exploiting vulnerable Virtual Private Network (VPN) appliances, user interface components in web apps, or weak passwords of Remote Desktop Protocol connections to gain access to their victims’ networks.
Recently the Netwalker ransomware operators were looking for new collaborators that can provide them with access to large enterprise networks.
Below the recommended mitigations provided by the FBI:
(SecurityAffairs – hacking, Netwalker ransomware)