The Limited Times

Now you can see non-English news...

LockBit published the data stolen from La Segunda: there are judicial files, expert reports and medical data


The ransomware group encrypted the insurer's systems and exposed 52 GB. It affected systems and operations.


, one of the largest ransomware groups in the world, published sensitive information from the Rosario insurance company

La Segunda

: there are judicial files, expert reports and sensitive medical data of affiliates, among others.

Ransomware is a type of malicious program -malware- that

encrypts information

from other people's systems to demand a ransom in exchange.

Once deposited, negotiations begin to agree a payment and return the data.

If the victim does not pay, the information is exposed on the dark web.

In this way, it is the second Argentine company encrypted under this modality and exposed by LockBit so far in 2023: two weeks ago, the Albanesi Group, the country's main gas trader, fell victim to this group.

Although the figure to return the stolen information is not public, one of the trading options was being offered for

$5 million


The attack had happened in the middle of last month, but it was known by LockBit last week to put pressure on it.

The criminal group already has a history in our country, adding among its victims Ingenio Ledesma and the prepaid company Osde, with a balance of leaked sensitive and internal medical data from the company.

This time he managed to encrypt La Segunda, which has about

1,300 employees

and offers insurance services of all kinds: cars, homes, accidents, retirement, claims and civil liability, among others.

LockBit published the information from La Segunda.

Photo LockBit Blog

The group debuted a new method for exposing the data, called


: “It is a tool for creating easily accessible and interactive web directory listings.

It is the first time that LockBit uses this new system on an Argentine victim," Mauro Eldritch, a threat analyst,


Clarín .

The data,

inferred from the titles of the files published

 on the panel, confirm the crime of theft and exposure of private information: “In total, there are at least

13 machines infected by ransomware


The affected areas are, at least, legal, labor and administrative medicine”, adds the expert.

“Within the legal there are

judicial files, complaints and expertise;

 As far as occupational medicine is concerned, there is information on ARTs,

medical and psychological diagnoses

, COVID-19 reports, laboratory reports, PCR results, imaging diagnoses -x-rays and MRIs-, medical claims,

clinical histories

and audiometry," he adds.

Regarding administration, the expert warns that there are "

contracts, payment vouchers

, tax receipts and payments (VEPs and others), insurance policies,


, personal and vehicle documents,


and resumes."

The Second's response

The company issued a statement that only circulated in the media, reproduced by some local sites in Rosario.

As of today,

there is no information on their social networks

about the event to communicate it to their associates.


We did not receive any email

or notice of this attack, the last one I have is one to adhere to the digital policy and nothing else," a client complained in dialogue with Clarín.

In addition, when he wanted to enter his account,

he bounced even entering the correct login information and he could not change his password

to recover his access.

Just this Thursday afternoon a sign appeared to associates who, when trying to log in, bounced:

The error displayed by La Segunda only appeared at the end of this week.

Photo App The Second

In that press release, the company acknowledged the ransomware attack: "La Segunda Seguros reports that it has been the object of a ransomware computer attack of an


nature on part of its systems."

As they explained, they activated a


as is common in these cases: “We have immediately put our

security protocols

into operation to normalize the situation and investigate its causes.

To guarantee the protection of information and ensure service to our clients, we have added the support of renowned national and international cybersecurity consultants”.

In addition, they recognized "delays or inconveniences" in their digital channels of operation.

Various workers at the plant

also registered these problems

in the internal systems in order to be able to work.

On the other hand, a company source who asked not to be identified downplayed the value of the published data: "We do not minimize the fact, although they are

isolated files

with images that were taken from some collaborators' PCs and we understand that they do not represent a economic risk or to the safety of people," he said.

"What's more, they are documents of

daily use

that are not only on our computers, but also circulate and are housed in the computer equipment of professionals, service providers, companies and a wide range of other actors involved in the activity," he added, on the published data.

The amount of information, however, is considerable:

there are 52 GB

divided into 12 folders, each one with more subfolders and files of all kinds of extensions (zip, doc, pdf, jpg, rar, etc.).

All this with the particularity that, by using this new Snap2HTML system, you can navigate in its entirety from a browser like Tor Browser.

LockBit's new navigation system, Snap2HTML.

Photo LockBit

Finally, La Segunda assures in the statement the "conviction of not giving in to illegal requests", which may explain the

drop in negotiations

with LockBit and subsequent exposure of the data.

LockBit, very active in 2023

The group of cybercriminals that encrypted La Segunda is one of the most prolific in the world.

In our country, several victims were claimed last year, led by



Ingenio Ledesma


2023 started with

Grupo Albanesi

and now La Segunda.

The group first appeared in September 2019 and, according to Kela data, had a stranglehold on the cybercrime scene in 2022, accounting for

28.57% of ransomware attacks.

LockBit is focused on what is known in the environment as

"Big Game Hunting"

, that is, "hunting" large targets, with good economic positions, which can be companies or governments.

Before encrypting, they study everything: how much they invoice, number of employees and if they are listed on the stock market.

Largest ransomware groups in the world.

Photo Kela Research

The system through which they attack is what is known as


, this is Ransomware As a Service (as a service), which works with "affiliates".

LockBit has been relaunched as LockBit 2.0, along with an updated affiliate program.

This was intended to attract former members of other groups such as REvil, who even ended up behind bars.

“The gangs that have this modality put their malicious code up for sale.

This is generally through the

dark web

: there they sell their encryption program and look for someone to deploy it," Arturo Torres, Intelligence Strategist against Threats for FortiGuard Labs for Latin America and the Caribbean, describes to Clarín.


partner or affiliate

can be an employee of the attacked company, or someone who bought the service to deposit it with a victim, because they have privileged access," he adds.

"When ransomware is deployed and a company is infected,

extortion and negotiation

start. That's when the gang starts to interact. After negotiating, the profits are shared between the creator of the malicious code, that is, the cybercriminal group, and their affiliates", adds the Fortinet expert. LockBit is known for giving

20% ​​of the economic benefit

to its partners.

Some of the companies and organizations encrypted this year.

Photo LockBit

It is often difficult to detect where ransomware entered a computer: it could be due to the negligence of someone working for the company (


, for example) or, in some cases, deliberately.

This week, for example, the LastPass key manager acknowledged that the security breach it suffered was due to a case of

stolen credentials

from a company engineer.

LockBit released its latest version a few weeks ago, known as

LockBit Green

, based

on the code of Conti (a now disbanded band)


The criminal organization is permanently updated.

Their extortion practices are accompanied by a robust source code: "They have layers and layers and layers of what we call packers, that is, custom encryption," Derek Manky, Fortinet's head of threat analysis, had explained to Clarín.

"My best analysts can work on a trivial piece of malware, like a trojan or something that isn't encrypted, and they can write a full report in 24 hours, with lots of details. With LockBit it can take up to 2 weeks of work, because that's a lot of work


" hours to review everything”, graphed the expert.

Some ransomware groups have been caught, however.

At the beginning of last year, REvil

, a Russian group that is on trial,

fell .

And at the end of January, the FBI, together with other international security forces, dismantled Hive, another group that was awarded some 1,500 entities in 80 countries, although without detainees.

The practice is spreading and Argentina is no exception: Fortinet detected 200% more attacks from 2021 to 2022 in the country, while the Latin American and Caribbean region suffered more than 360 billion attempted cyberattacks


The response to incidents ends up marking each case: how they recover and, above all,

how they communicate (or not) to those affected.


look also

Cyberattacks in Argentina grow 200%: a report revealed more than 10 million in 2022

LockBit adds another Argentine company among its ransomware victims: Grupo Albanesi

Source: clarin

All tech articles on 2023-03-03

You may like

Trends 24h


© Communities 2019 - Privacy

The information on this site is from external sources that are not under our control.
The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.