Deadline expired: cybercriminals published private information stolen from Migrations

John brodersen

Pablo Javier Blanco

09/10/2020 - 9:13

• Clarín.com

• Technology

The deadline expired, the Government did not pay and the group of cybercriminals that managed to install a ransomware in the National Directorate of Migration (DNM) published this morning the private information of the body dependent on the Ministry of the Interior that it stole on August 27 in a attack that left the border crossings of Argentina disconnected from the world for more than 3 hours.

At 9:12 minutes, the countdown came to an end and the NetWalker band - as they call themselves - revealed the key to access the Migrations files, hosted on DropMeFiles.

The password, as if it were an ironic message in the middle of the judicial arm wrestling, was the most vulnerable and used on the planet:

.

The NetWalker site released the Migrations information.

The virus, called Netwalker, thus managed to get into the servers of the DNM system and copy an immense amount of information that the Government describes as "sensitive but not critical."

Now, through that link, the data is accessible at an address on the dark web.

"Like other ransomware, NetWalker publishes excerpts of the stolen data on a so-called 'leak site.'

If the victim does not pay, all the stolen data is published, ”Brett Callow, a threat analyst at the cybersecurity company Emsisoft, explained to Clarín last Thursday when it was confirmed that Migrations had been intervened.

Although they are calm in the DNM, because when the incident occurred they disconnected the entire system to prevent it from continuing to spread, the Netwalker strain of ransomware has a peculiarity: it not only hijacks information, but copies it.

In other words, cybercriminals have a copy of the information they could steal, even if Migrations contained the attack.

And there is another worrying fact: the information that Netwalker carries can cover a period up to 56 days prior to the "deploy", that is, the victim detects it.

With which, it is not known if Migrations is completely clear about what information they copied.

"Do not try to recover your files without a decryptor program, you could damage them and leave them in unrecoverable condition. For us this is business and to prove our seriousness, we will decrypt a file for you at no cost. Open our site, upload the encrypted file and you will have the free decrypted file. Also, your information could have been stolen and if you do not cooperate with us, it will become publicly available on our blog ", was the message left by cybercriminals after the attack.

Also, hanging a "proof of life" of the kidnapping.

The image posted by the cyber attackers shows a screen with 22 folders with the following names: "ABM", "AFI", "CAJA", "INTERPOL TRAINING", "CEDULA ARGENTINA", "CHINOS CORRIENTES", "CONSULADO DE COLOMBIA "," CONTRACTS "," DELEGATION BETWEEN RÍOS "," US EMBASSY "," EMBASSY OF MEXICO "," EMBASSY OF ROMANIA "," EMBASSY OF THE PHILIPPINES "," ESCANER_GRANDE "," INTERPOL REPORT OF MIGRATORY FLOW "," INTERNATIONAL INITIATIVE FROM ACCELER ... "," MEMO 31-15 DATA RECOVERY "," MEMO 43-16 MOTA 37-15 "," MEMO 281 - 15 AFRICANS "," MEMO 293-15 "," MEMO 1461 - 2015 ".

At first they asked for 2 million dollars in ransom, but after a week the figure doubled to 4 million dollars.

In the Ministry of the Interior, headed by Eduardo “Wado” De Pedro, on which Migrations depends, they denounced the extortion before the Justice and were blunt.

told Clarín yesterday, confirming exclusively the government's refusal to transfer even a dollar to NetWalker.

The unprecedented nature of the attack - it is the first in the world against a dependency of such a high government hierarchy - caused the information to be handled in a trickle and that generated confusion, since at first it had transpired that the organization was asking for 76 million dollars reward, a staggering figure considering that the biggest hit with such a virus was 42 million dollars, and there was a multimillion dollar American law firm in the middle.

The particular attack against the National Government aroused another suspicion.

Was there a local leg in the hack?

It is the hypothesis that takes force in Casa Rosada, where they indicate that the coup responds to a conflict of interest regarding the personal data that handles migration.

A person or organization came to Netwalker to ask for their services and send a message.

“It is the idea of ​​'business units', in which this kind of portal of the deep internet [deep web] is used to attack a targeted place.

The protest is hung up, then the interested party associates with outside hackers and the attack is carried out ”, summarize official sources.

In other words, they went looking for a cybercrime freelancer.

The government went to court and denounced what happened.

The judicial presentation was left in the hands of Judge Sebastián Casanello.

The magistrate delegated the investigation of the case to the federal prosecutor Guillermo Marijuán, who in turn required the help of the Specialized Cybercrime Fiscal Unit, Horacio Azzolin.

The magistrate delegated the investigation of the case to the federal prosecutor Guillermo Marijuán, who in turn required the help of the Specialized Cybercrime Fiscal Unit, Horacio Azzolin.

The complaint indicates that the virus affected Windows files (ADAD SYSVOL and SYSTEM CENTER DPM mainly) and Microsoft Office files (Word, Excel, etc.) of users' workstations and shared folders.

One sensitive area suffered the attack more than others: Integrated Migration Capture System (SiCaM) that is used in international steps to detect whether people wanted by the Justice try to enter or flee Argentina.

The agency denounced the group of cybercriminals for four crimes: extortion, due to the claim to purchase a program to decrypt stolen documents;

aggravated damage, due to damage at border crossings;

illegitimate access to a computer system with restricted access, due to penetration into the DNM network;

and illegitimate access to a personal data bank, due to the alleged theft and encryption of files.

They considered it a crime against Public Security, but stressed that no sensitive information was stolen.

The attack

On Thursday of last week, Clarín was able to confirm with sources from the Interior Ministry that the ransomware was active.

Although the actions of cybercriminals against governments and public institutions are common, there is a peculiarity that makes this attack different: there are no records of ransomware that have managed to stop the operations of a country.

It happens that for security reasons, Migrations disconnected the system to preserve the database.

This meant that for three hours the five land border posts, the Ezeiza airport and the Buquebus terminal were without a system and closed during that period.

No one was allowed to enter or leave the country during those hours, and that was Netwalker's fault.

Even though there are some ransomware that can be unlocked, NetWalker is not one of them.

And that's why it's been so successful: the hacking group that uses it managed to raise $ 25 million since March 2020.

Netwalker, a prolific extortion business

Netwalker is the name of ransomware, the type of virus that manages to get into private computers and systems to "take" information and encrypt it.

If the attacked does not have a backup, the only way to recover the information is by paying.

There is a group of cybercriminals that use Netwalker quite successfully: they have already raised at least $ 25 million so far in 2020, according to McAfee, a specialist in computer security.

According to a report published by McAfee last Thursday, Netwalker is wreaking havoc: “McAfee Advanced Threat Research (ATR) discovered a large number of Bitcoins linked to NetWalker, suggesting that its extortion efforts are effective and that many victims have not had no other option than succumbing to their criminal demands ”, they explain in their report.