The Limited Times

Now you can see non-English news...

Cyberattack on pharmacies: hackers give a month to pay the ransom or publish the stolen information

2023-05-18T13:58:43.794Z

Highlights: The Lockbit group encrypted the Farmalink system, which handles prepaid discounts. The company assures that they would not have sensitive data. As of Wednesday of this week, the remaining time to negotiate was 28 days and no dialogue had been initiated from the company. It is unknown what figure cybercriminals demand, but Lockbit usually asks for $ 200,<> up in crypto. They use a method known as Ransomware-as-a-Service (RaaS) with "affiliates"


The Lockbit ransomware group encrypted the Farmalink system, which handles prepaid discounts. The company assures that they would not have sensitive data.


Lockbit, the cybercriminal group that carried out the attack against the Farmalink prescription drug sales system, gave a deadline of about a month to negotiate the payment of a ransom and return the stolen information. After that period, they will publish the data.

Bizland, the company that operates the Farmalink system, assures that "the extortion was not accessed" and that "in principle, sensitive data of any kind would not be compromised." Lockbit is an international band that uses ransomware, a type of malware (virus) that encrypts information to make it inaccessible and demand a ransom in cryptocurrencies in return.

The hackers offer a "technical support" for the victims where, even, they give as a free sample the decryption of a file of up to 50 Kb. Clarín confirmed that the possibility of negotiating is open through the site on the dark web of Lockbit, where Bizland did not initiate the dialogue.

As of Wednesday of this week, the remaining time to negotiate was 28 days and no dialogue had been initiated from the company. It is unknown what figure cybercriminals demand, but Lockbit usually asks for $ 200,<> up in crypto.

Farmalink manages the discount system in pharmacies. Photo: Rafael Mario Quinteros

Bizland filed a judicial complaint with the Cybercrime Tax Unit (UFECI) directed by Horacio Azzolin. There the detection of the attack is detailed: after a problem in its datacenter, the networked computers stopped working and the software that manages the virtual machines (vSphere) was disconnected.

It was then that the systems area found the file with what is known as "ransom note", the note of the kidnapping that cybercriminal groups leave their victims: "Your data was stolen and encrypted. If you do not pay the ransom, they will be published on our TOR sites on the dark web. Keep in mind that once your data appears on our leak site, your competitors could buy it at any time."

According to the complaint filed with the court of Azzolin, to which Clarín was able to access, "in principle, sensitive data of any kind would not be compromised." This media asked Bizland what information they did compromise, but the company decided not to give details "so as not to promote the extortionists."

However, because of the type of information the company handles (prescriptions, document and affiliate numbers of users, addresses, emails and more), they could also have sensitive data.

"The site's indicator marks the time remaining for the negotiation to fail 'by default', but it is subject to very delicate parameters such as the participation of negotiators or government agents in the matter, or even any action that can be considered as disinterest or hostility on the part of the victim could lead to an early disclosure as a punishment," explains Mauro Eldritch, threat analyst at Birmingham Cyber Arms.

On the other hand, the term could also be extended: "Gestures of 'understanding' such as payment commitments or affable negotiations can lead the actors to prolong this period, in the same way if an eventual buyer appears outside the victim," he adds.

Lockbit: Ransomware as a Service (Raas)

LockBit was the group with the most attacks of 2022. Source: Kela

Lockbit is dedicated to what is known as "Big Game Hunting", or hunting for large targets: they look for victims with large economic positions, which can be companies or governments. Before encrypting they study everything: how much they invoice, number of employees and if they are listed on local stock exchanges.

They use a method known as Ransomware-as-a-Service (RaaS), with "affiliates." Some resonant cases in Argentina were Artear (by Hive, a group already dismantled), Arsat, the Judiciary of Córdoba (both by Play)

"The gangs that have this modality put their malicious code on sale. This is usually through the dark web: there they sell their program to encrypt and look for whoever deploys it. The partner or affiliate can be an employee of the attacked company, or someone who bought the service to deposit it in a victim, because he has privileged access, "explains Arturo Torres, Threat Intelligence Strategist for FortiGuard Labs for Latin America and the Caribbean.

"When ransomware is deployed and a company is infected, extortion and negotiation start. That's when the band starts interacting. After negotiating, the profits are shared between the creator of the malicious code, that is, the cybercriminal group, and its affiliates," adds the Fortinet expert. Lockbit is known for giving 20% of the economic benefit to its partners.

The criminal group already has a history in our country, adding among its victims Ingenio Ledesma, Grupo Albanesi and the prepaid Osde, with a balance of sensitive and internal medical data of the company leaked.

"From the reported cases concentrated on our Sheriff threat analysis platform, in 2022 we had 2610 ransomware attacks recorded. So far in 2023 alone (less than half of the year) we have 1398 today. Of these, 387 (more than 25%) were caused by Lockbit," Eldritch told Clarín.

And he clarifies: "It is no less important to remember that there is an important black figure in terms of ransomware, since there are many facts that are not reported by the police or judicially."

$10 million for a Lockbit member

"Boris," wanted by the FBI. FBI Photo

This week, the FBI released a bounty against a key player in the Lockbit group and is offering $10 million for his head. This is a Russian citizen named Mikhail Pavlovich Matveev, also known as Wazawaka or Boris.

According to the FBI, Boris, 30, is a "central figure" in the development and deployment of the LockBit, Babuk, and Hive ransomware variants since at least June 2020.

"Matveev is also identified as one of the main developers of the Babuk ransomware, that is, the person who 'builds' and 'improves' the malicious software with which it will infect victims, and as an administrator of its infrastructure, which places him at a central and strategic point of the organization twice," explains Eldritch.

There is an important fact that highlights the profile of the FBI, and that is that Boris is missing a ring finger, something that the FBI points out in his profile: "Particularly Babuk's source code went through many hands besides Matveev's, one of which lacks a ring finger, which is not a minor detail: This would cause several 'technical' problems later on."

"The reversals of this ransomware did not stop there, since in 2021 and after a series of internal fights (but exposed in forums and channels of the organization) an affiliate of just 17 years from Russia, decides to publicly leak the source code of Babuk online. This led almost immediately to new reversions of it specially designed for VMWare ESXI systems, in addition to giving birth to Rook, the first relevant ransomware created from Babuk.

The FBI estimated, based on these underrepresented figures, the collection of these groups: "The total ransom demands allegedly made by members of these three global ransomware campaigns to their victims amount to $400 million, while total ransom payments from victims amount to $200 million."

SL

See also

Problems continue in pharmacies due to the fall of the discount system for prepaid and social works

Lockbit ransomware gang encrypts children's hospital, apologizes and returns data

Source: clarin

All tech articles on 2023-05-18

You may like

Trends 24h

Latest

© Communities 2019 - Privacy

The information on this site is from external sources that are not under our control.
The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.