LockBit
, one of the largest ransomware groups in the world, published sensitive information from the Rosario insurance company
La Segunda
: there are judicial files, expert reports and sensitive medical data of affiliates, among others.
Ransomware is a type of malicious program -malware- that
encrypts information
from other people's systems to demand a ransom in exchange.
Once deposited, negotiations begin to agree a payment and return the data.
If the victim does not pay, the information is exposed on the dark web.
In this way, it is the second Argentine company encrypted under this modality and exposed by LockBit so far in 2023: two weeks ago, the Albanesi Group, the country's main gas trader, fell victim to this group.
Although the figure to return the stolen information is not public, one of the trading options was being offered for
$5 million
.
The attack had happened in the middle of last month, but it was known by LockBit last week to put pressure on it.
The criminal group already has a history in our country, adding among its victims Ingenio Ledesma and the prepaid company Osde, with a balance of leaked sensitive and internal medical data from the company.
This time he managed to encrypt La Segunda, which has about
1,300 employees
and offers insurance services of all kinds: cars, homes, accidents, retirement, claims and civil liability, among others.
LockBit published the information from La Segunda.
Photo LockBit Blog
The group debuted a new method for exposing the data, called
Snap2HTML
: “It is a tool for creating easily accessible and interactive web directory listings.
It is the first time that LockBit uses this new system on an Argentine victim," Mauro Eldritch, a threat analyst,
told
Clarín .
The data,
inferred from the titles of the files published
on the panel, confirm the crime of theft and exposure of private information: “In total, there are at least
13 machines infected by ransomware
.
The affected areas are, at least, legal, labor and administrative medicine”, adds the expert.
“Within the legal there are
judicial files, complaints and expertise;
As far as occupational medicine is concerned, there is information on ARTs,
medical and psychological diagnoses
, COVID-19 reports, laboratory reports, PCR results, imaging diagnoses -x-rays and MRIs-, medical claims,
clinical histories
and audiometry," he adds.
Regarding administration, the expert warns that there are "
contracts, payment vouchers
, tax receipts and payments (VEPs and others), insurance policies,
affidavits
, personal and vehicle documents,
DNIs
and resumes."
The Second's response
The company issued a statement that only circulated in the media, reproduced by some local sites in Rosario.
As of today,
there is no information on their social networks
about the event to communicate it to their associates.
"
We did not receive any email
or notice of this attack, the last one I have is one to adhere to the digital policy and nothing else," a client complained in dialogue with Clarín.
In addition, when he wanted to enter his account,
he bounced even entering the correct login information and he could not change his password
to recover his access.
Just this Thursday afternoon a sign appeared to associates who, when trying to log in, bounced:
The error displayed by La Segunda only appeared at the end of this week.
Photo App The Second
In that press release, the company acknowledged the ransomware attack: "La Segunda Seguros reports that it has been the object of a ransomware computer attack of an
extortion
nature on part of its systems."
As they explained, they activated a
protocol
as is common in these cases: “We have immediately put our
security protocols
into operation to normalize the situation and investigate its causes.
To guarantee the protection of information and ensure service to our clients, we have added the support of renowned national and international cybersecurity consultants”.
In addition, they recognized "delays or inconveniences" in their digital channels of operation.
Various workers at the plant
also registered these problems
in the internal systems in order to be able to work.
On the other hand, a company source who asked not to be identified downplayed the value of the published data: "We do not minimize the fact, although they are
isolated files
with images that were taken from some collaborators' PCs and we understand that they do not represent a economic risk or to the safety of people," he said.
"What's more, they are documents of
daily use
that are not only on our computers, but also circulate and are housed in the computer equipment of professionals, service providers, companies and a wide range of other actors involved in the activity," he added, on the published data.
The amount of information, however, is considerable:
there are 52 GB
divided into 12 folders, each one with more subfolders and files of all kinds of extensions (zip, doc, pdf, jpg, rar, etc.).
All this with the particularity that, by using this new Snap2HTML system, you can navigate in its entirety from a browser like Tor Browser.
LockBit's new navigation system, Snap2HTML.
Photo LockBit
Finally, La Segunda assures in the statement the "conviction of not giving in to illegal requests", which may explain the
drop in negotiations
with LockBit and subsequent exposure of the data.
LockBit, very active in 2023
The group of cybercriminals that encrypted La Segunda is one of the most prolific in the world.
In our country, several victims were claimed last year, led by
Osde
and
Ingenio Ledesma
.
2023 started with
Grupo Albanesi
and now La Segunda.
The group first appeared in September 2019 and, according to Kela data, had a stranglehold on the cybercrime scene in 2022, accounting for
28.57% of ransomware attacks.
LockBit is focused on what is known in the environment as
"Big Game Hunting"
, that is, "hunting" large targets, with good economic positions, which can be companies or governments.
Before encrypting, they study everything: how much they invoice, number of employees and if they are listed on the stock market.
Largest ransomware groups in the world.
Photo Kela Research
The system through which they attack is what is known as
RaaS
, this is Ransomware As a Service (as a service), which works with "affiliates".
LockBit has been relaunched as LockBit 2.0, along with an updated affiliate program.
This was intended to attract former members of other groups such as REvil, who even ended up behind bars.
“The gangs that have this modality put their malicious code up for sale.
This is generally through the
dark web
: there they sell their encryption program and look for someone to deploy it," Arturo Torres, Intelligence Strategist against Threats for FortiGuard Labs for Latin America and the Caribbean, describes to Clarín.
"The
partner or affiliate
can be an employee of the attacked company, or someone who bought the service to deposit it with a victim, because they have privileged access," he adds.
"When ransomware is deployed and a company is infected,
extortion and negotiation
start. That's when the gang starts to interact. After negotiating, the profits are shared between the creator of the malicious code, that is, the cybercriminal group, and their affiliates", adds the Fortinet expert. LockBit is known for giving
20% of the economic benefit
to its partners.
Some of the companies and organizations encrypted this year.
Photo LockBit
It is often difficult to detect where ransomware entered a computer: it could be due to the negligence of someone working for the company (
phishing
, for example) or, in some cases, deliberately.
This week, for example, the LastPass key manager acknowledged that the security breach it suffered was due to a case of
stolen credentials
from a company engineer.
LockBit released its latest version a few weeks ago, known as
LockBit Green
, based
on the code of Conti (a now disbanded band)
.
The criminal organization is permanently updated.
Their extortion practices are accompanied by a robust source code: "They have layers and layers and layers of what we call packers, that is, custom encryption," Derek Manky, Fortinet's head of threat analysis, had explained to Clarín.
"My best analysts can work on a trivial piece of malware, like a trojan or something that isn't encrypted, and they can write a full report in 24 hours, with lots of details. With LockBit it can take up to 2 weeks of work, because that's a lot of work
.
" hours to review everything”, graphed the expert.
Some ransomware groups have been caught, however.
At the beginning of last year, REvil
, a Russian group that is on trial,
fell .
And at the end of January, the FBI, together with other international security forces, dismantled Hive, another group that was awarded some 1,500 entities in 80 countries, although without detainees.
The practice is spreading and Argentina is no exception: Fortinet detected 200% more attacks from 2021 to 2022 in the country, while the Latin American and Caribbean region suffered more than 360 billion attempted cyberattacks
.
The response to incidents ends up marking each case: how they recover and, above all,
how they communicate (or not) to those affected.
SL
look also
Cyberattacks in Argentina grow 200%: a report revealed more than 10 million in 2022
LockBit adds another Argentine company among its ransomware victims: Grupo Albanesi