Lockbitsone of the largest ransomware groups in the world, listed among its victims Albanian groupthe main natural gas distributor and electricity supplier in Argentina.
Ransomware is a type of program that cybercriminals use to encrypt their victims’ data, i.e. transform it inaccessible– and ask for a ransom in return.
clarion Grupo Albanesi was contacted but the company declined to comment, so it’s difficult to know whether the compromised files have anything to do with the functioning of critical infrastructure or are related to more administrative issues.
Grupo Albanesi is a strategic enclave for the industrial zone between the south of Rosario and San Nicolás. They have been trading natural gas for 33 years and energy in general for 23, with 9 plants and 1,380 MW installed.
The amount they are asking has not yet been released, and as of Thursday this week, the files will be released in 12 days.
LockBit already has a track record with Argentinian companies: Ingenio Ledesma e osdethe first case with administrative data and little damage inflicted, but the second with leaks of patients and sensitive information from prepaid affiliates.
Another case of an energy company in Argentina was that of Southern Gas Carrier in April last year, attacked on that occasion by the group called Black Cat (ALPHV).
The cybercriminal group that encrypted Albanians is one of the most prolific in the world.
It first appeared in September 2019 and, according to Kela’s data, had a stranglehold on the cybercrime scene in 2022, with a 28.57% of ransomware attacks.
They commit their crimes with the system known as Raasthis is Ransomware As a Service, which works with “affiliates”.
After the disappearance of the REvil ransomware group, LockBit was relaunched as Lock Bits 2.0along with an updated affiliate program.
This was intended to attract former members of other groups such as REvil, who even ended up behind bars.
“Gangs that have this mode sell their malicious code. This is usually through the dark web“They sell their encryption program there and are looking for someone to distribute it,” explains to Clarín Arturo Torres, Intelligence Strategist against Threats for FortiGuard Labs for Latin America and the Caribbean.
“The partner or affiliate can be an employee of the attacked company or someone who bought the service to deposit it with a victim, because they have privileged access,” he adds.
“When ransomware is distributed and a company is infected, start extortion and negotiation. It is then that the band begins to interact. After negotiation, the profits are shared between the creator of the malicious code, ie the group of cybercriminals, and its affiliates,” added the Fortinet expert. LockBit is known to have given them 20% of the economic advantage to its members.
In this sense it is often difficult to know how the ransomware “entered” the system: it could be negligence from someone who works in the company (phishing, for example) or, in some cases, deliberately.
LockBit released its latest version a few weeks ago, known as Green block tip, based on that of the Counts (band already disbanded). Both the source code and the criminal organization are constantly updated.
However, cyber criminals are not immune. In late January, the FBI, along with other international security forces, dismantled Hive, another group that had been assigned some 1,500 entities in 80 countries.
The more targets they attack and the higher their profile, the more they are exposed to this type of operation.
The industry, a step back in cyber security
Industrial systems, known as WO In jargon (Operation Technology), they have serious delays.
This makes them a highly sought-after target for cybercriminals, due to the huge attack surface they present and the Few digital hygiene measures.
«There is something about not wanting to touch things that work well, many times these systems cost a lot of work and effort to make them work, and changing something can have a big impact on the entire production chain», Hernando Castiglioni said last year. year, Fortinet senior manager for Argentina, Uruguay, Paraguay, Bolivia and Venezuela.
This poses a huge danger: when using old systems, They have no security updates. And they are very vulnerable.
“Historically, the industry had networks that came from the serial world, ie always separated from the traditional IT world: Internet networks, mail, file sharing”, he commented.
“These networks handle many sensors, actuators, ways of measuring and controlling processes, with systems that come from the 60s or 70s. A network of transportation, electricity, oil, manufacturing: all these systems were not designed or born with a cybersecurity protection logic. Most of the protocols are old,” warned the expert.
There have been very serious cases where cybercriminals aimed to decommission nuclear reactors, which can blow up an entire city. And there are also specific malware (viruses) for this production sector, as in the case of the Russian Industry against Ukraine.
The most sensational case was that of the Colonial Pipeline energy company in 2021, in the United States.
Linda Price is a tech expert at News Rebeat. With a deep understanding of the latest developments in the world of technology and a passion for innovation, Linda provides insightful and informative coverage of the cutting-edge advancements shaping our world.