John brodersen
Pablo Javier Blanco
04/09/2020 - 21:05
Clarín.com
Technology
A ransomware attack known as
NetWalker hijacked information from the National Migration Office (DNM)
and threatens to publish information from the Ministry of the Interior if a millionaire payment is not made.
There is talk of 76 million dollars.
The deadline is next Wednesday.
"Like other ransomware, NetWalker publishes excerpts of the stolen data on a so-called
'leak site.'
If the victim does not pay, the entire stolen data is published.
In this case, it will happen in
a period of 5-6 days
”, explained to
Clarín
Brett Callow, a threat analyst at the cybersecurity company
Emsisoft
, who confirmed the attack.
The data that was published in this case was disseminated through
a screenshot
where you can see folders that refer to the
Federal Intelligence Agency (AFI)
, consulates, embassies and reports of migratory flows.
There you also see the period of time in which the information will be published.
The list of folders released by NetWalker from the National Directorate of Migration.
Photo NetWalker Blog
Sources from the Interior Ministry confirmed
the computer incident
to
Clarín
and assured that they had already filed a criminal complaint in this regard, which was left in the hands of Judge Sebastián Casanello.
As they explained,
a virus entered the Migration system
and for security reasons the system was disconnected to preserve the database, which caused the five land border posts, the Ezeiza airport and the Buquebus terminal to be there for three hours. no system and closed during that period.
After the attack, a technical expertise was carried out and the operation was corroborated by checking against the database.
From that operation, it was documented which
computers were violated
and everything was included in the criminal complaint filed that Casanello is now investigating.
In this context, this international hacker organization appeared asking for a millionaire ransom, and the judicial presentation was expanded with this new information and the screenshots that now circulate on social networks.
For that reason,
the charge of extortion
was added
to the criminal action
.
"Expertise tells us that it was not possible to access the database, but rather folders on different computers," explained official sources.
It is file 6853/2020, filed with the Specialized Cybercrime Fiscal Unit.
Criminal complaint hacking Migrations by Clarin.com on Scribd
From what these capture files show, cybercriminals could have accessed files hosted on those computers on criminal intelligence, files of terrorists with prohibited entry into the country, but "not sensitive information," they explain.
In the image posted by the cyber attackers, a screen with 22 folders with the following names is seen: "ABM", "AFI", "CAJA", "INTERPOL TRAINING", "CEDULA ARGENTINA", "CHINOS CORRIENTES", "CONSULATE OF COLOMBIA "," CONTRACTS "," DELEGATION BETWEEN RÍOS "," US EMBASSY "," EMBASSY OF MEXICO "," EMBASSY OF ROMANIA "," EMBASSY OF THE PHILIPPINES "," ESCANER_GRANDE "," INTERPOL MIGRATORY FLOW REPORT "," INTERNATIONAL INITIATIVE DE ACCELER ... "," MEMO 31-15 DATA RECOVERY "," MEMO 43-16 MOTA 37-15 "," MEMO 281 - 15 AFRICAN "," MEMO 293-15 "," MEMO 1461 - 2015 ".
The names of these files could give account of information linked to the Federal Intelligence Agency (AFI), diplomatic information on various embassies, and even data from the international police Interpol.
In the Government they compare the attack with that suffered by Telecom last July.
On July 19, Telecom suffered a ransomware attack that affected customer service systems.
From Russia, they had asked for a sum that was estimated between
7.5 and 25 million dollars
, but they were not successful.
It was similar, in turn, to the massive account hacking that high-profile personalities suffered in the United States in mid-July.
In parallel, they pointed out from Migrations, now they are working with Computer Security to see
what went wrong and how the hackers could violate the system
.
Due to what happened, in addition, the director of Information Security in charge of the unit, who had been in that position for 25 years, was dismissed from his position.
Ransomware is
a doubly dangerous threat
because, in addition to blocking information, it
copies it
.
“Before, ransomware groups used to simply encrypt their victims' data, but since November last year they have been stealing it as well.
The threat of releasing the data is then used as an
additional lever to extort the payment
”, explained the Emsisoft specialist.
Now data is stolen in more than 1 in 10 incidents.
Last Thursday, Migrations had publicly announced that it had managed to contain a computer attack.
But it happens that these attacks have access to information 56 days before
the attack that encrypts the files is activated.
“During that previous period, the attackers may have already stolen information.
By the time the organizations become aware of the incident, the information was already stolen, ”Callow details.
And that would be what happened in this case.
Migrations re-establishes its services
The National Directorate of Migration (DNM), dependent on the Ministry of the Interior, reports that it managed to contain an attempted cyberattack on the organization, which caused the fall of services, which are being gradually restored.
- Migrations (@Migraciones_AR) August 27, 2020
From some links on the NetWalker blog, the computer security specialist
Javier Smaldone
confirmed
the hack
to
Clarín
: "You can see a list of sites and there is Migrations: they
were victims of NetWalker."
Even though there are some ransomware that can be unlocked, NetWalker is not one of them.
And that's why it's been so successful: the hacking group that uses it managed to raise $ 25 million since March 2020.
On NetWalker: $ 25 million with extortion
NetWalker first appeared in
August 2019.
Its first name was “Mailto”, but it later adopted its current nomenclature.
According to the site ZDNet, an authority on computer security, NetWalker is a particular "strain" of this type of program that hijacks information.
Different gangs of hackers "apply" to use this ransomware through customized versions.
NetWalker "purifies" these versions and distributes them among different groups of attackers so that they can "
deploy
" (implementation, publication), that is, they effectively attack some entity.
And it happens that they operate even before the "deploy": "In these incidents, attackers have access to networks for an average of
56 days before deploying the ransomware
that encrypts files, and this is the point at which organizations are they realize that they have been attacked ”, explains Clarín Callow.
“However, during those previous 56 days, the attackers
could have already carried out various operations
, including data theft.
In other words, when organizations realize that they have been compromised and are under attack, their data no longer exists or was stolen ”, he completed.
For this reason, the scope of the attack on the National Directorate of Migration is not entirely clear, which in its statements to Clarín, recognized but relativized the incident.
NetWalker has a blog that can only be accessed through Deep Web browsers like Tor:
there you can see all the active cases with their respective countdowns and the affected sites.
The NetWalker list.
Photo NetWalker Blog
What is a Ransomware
WannaCry, a famous ransomware that wreaked havoc in 2017. Photo Bloomberg
Ransomware is an acronym for
"data rescue program
.
"
Ransom in English means ransom, and ware is a shortening of the well-known word software: a data hijacking program.
Ransomware is a subtype of malware, an acronym for "
malicious software."
However, this type of virus works by restricting access to parts of our personal information, or all of it.
And generally, hackers exploit this to ask for something in return:
money
.
That is why among its favorite targets are large companies, governments and institutions.
While some simple ransomware can lock down the system in a simple way, the more advanced ones use
a technique called “cryptovirus” extortion
, in which the victim's files are encrypted, rendering them completely inaccessible.
In the first six months of 2020 alone, almost 400,000 more ransomware samples were detected than in the same period last year, according to the Threat Landscape Report.
Which means that its scope is very wide.
And, during the coronavirus, it was undoubtedly the star virus that hackers used the most.
PJB
