Lockbitsone of the largest ransomware groups in the world, has released sensitive information from the insurance company Rosario The second one: there are judicial files, expert reports and sensitive health data of affiliates, among others.
Ransomware is a type of malicious program -malware- that encrypt information from foreign systems to demand a ransom in exchange. Once deposited, negotiations begin to arrange a payment and return the data. If the victim doesn’t pay, the information is exposed on the dark web.
In this way, it is the second Argentine company encrypted in this way and exposed by LockBit so far in 2023: two weeks ago, the Albanesi Group, the country’s main gas trader, fell victim to this group.
While the fee to return the stolen information is not public, one of the negotiation options has been offered by 5 million dollars. The hack happened in the middle of last month but was reported by LockBit last week to pressure the deal.
The criminal group already has a history in our country, adding among its victims Ingenio Ledesma and the prepaid company Osde, with a balance between sensitive data and leaked internal doctors of the company.
This time he managed to encrypt La Segunda, which has approx 1,300 employees and offers insurance services of all kinds: auto, home, accident, pension, accident and civil liability, among others.
The group presented a new method for exposing data, called Snap2HTML: “This is a tool for creating easily accessible and interactive web directory listings. This is the first time LockBit has used this new system on an Argentinian victim,” he said clarion Mauro Eldritch, threat analyst.
The data, inferred from the titles of the published files on the panel, allow you to confirm the crime of theft and exposure of confidential information: “In total they are, at least, 13 machines infected with ransomware. The areas affected are, at least, legal, labor and administrative medicine”, adds the expert.
“In the legal realm judicial files, complaints and expert reports; As far as occupational medicine is concerned, there is information on ART, medical and psychological diagnosesCOVID-19, lab reports, PCR results, diagnostic images -X-ray and MRI-, medical complaints, medical records and audiometry,” he adds.
As regards the administrative ones, the expert warns that there are “contracts, payment vouchersvouchers and tax payments (VEP and others), insurance policies, Jurisdictions declaredpersonal and automotive documents, ID and resumes.
The answer of the Second
The company released a statement that was only circulated in the media, reproduced by some local sites in Rosario. Today, there is no information about their social networks on the event to communicate it to its associates.
“We have not received any emails or notice of this attack, the last one I have is to adhere to the digital policy and nothing else ”, complained a customer in dialogue with Clarín. Also, when you want to enter your account bounced entering correct login details again and could not change passwordto regain access.
Just this Thursday afternoon, a sign appeared to members who, trying to access, bounced:
In that press release, the company acknowledged the ransomware attack: “Segunda Seguros reports that it has been subject to a cyberattack with ransomware of a exorbitant on part of their systems.
As they explained, they activated a protocol as is common in these cases: “We immediately put our security protocols normalize the situation and investigate its causes. To guarantee the protection of information and guarantee the service to our customers, we have added the support of renowned national and international cybersecurity consultants”.
Additionally, they acknowledged “delays or glitches” in their digital operating channels. Various plant workers logged these problems as well in internal systems to be able to work.
A company source, who asked not to be identified, downplayed the value of the published data: “We do not downplay the fact, although it is isolated files with images that were taken from the PCs of some collaborators and we understand that they do not represent an economic risk or towards the safety of people “, he assured.
“Also, they are documents of daily use that are not only on our computers, but also circulate and are hosted in the computer equipment of professionals, service providers, companies and a wide range of other actors involved in the activity,” he added, regarding the published data.
The amount of information, however, is remarkable: it’s 52GB divided into 12 folders, each with multiple subfolders and files of each type of extension (zip, doc, pdf, jpg, rar, etc.).
All this with the particularity that, using this new Snap2HTML system, you can navigate in its entirety from a browser like Tor Browser.
Finally, La Segunda ensures in the press release the “conviction of not having given in to illegitimate requests”, which could explain the fall in the negotiations with LockBit and subsequent exposure of the data.
LockBit, very active in 2023
The cybercriminal group that encrypted La Segunda is one of the most prolific in the world. In our country, several victims were claimed last year, with osde AND Ledesma sugar bowl to the head. 2023 started with Albanian group and now the second
The group first emerged in September 2019 and, according to Kela’s data, had a stranglehold on the cybercrime scene by 2022, with a 28.57% of ransomware attacks.
LockBit is dedicated to what is known in the world as “Big Hunt”that is, to “hunt” big targets, with good economic positions, which can be companies or governments.
Before encrypting they study everything: how much they invoice, the number of employees and if they are listed on the stock exchange.
The system by which they attack is what is known as Raasthis is Ransomware As a Service, which works with “affiliates”.
LockBit was relaunched as LockBit 2.0, along with an updated affiliate program. This was intended to attract former members of other groups such as REvil, who even ended up behind bars.
“Gangs that have this mode sell their malicious code. This is usually through the dark web“There they sell their encryption program and are looking for someone to distribute it,” Arturo Torres, Intelligence Strategist against Threats for FortiGuard Labs for Latin America and the Caribbean, explains to Clarín.
“He partner or affiliate It can be an employee of the attacked company, or someone who bought the service to deposit it with a victim, because they have privileged access,” he adds.
“When ransomware is deployed and a business is infected, it starts extortion and bargaining. It is then that the band begins to interact. After negotiation, the profits are shared between the creator of the malicious code, ie the group of cybercriminals, and its affiliates,” added the Fortinet expert. LockBit is known to have given them 20% of the economic benefit to their partners.
Many times it is difficult to detect where a ransomware has entered a computer: it could be due to the negligence of someone working in the company (phishing, for example) or, in some cases, deliberately. This week, for example, LastPass’s key manager acknowledged that the security breach it suffered was due to a credential theft by a company engineer.
LockBit released its latest version a few weeks ago, known as Green block tipbased in the Code of Accounts (band already disbanded). The criminal organization is constantly updated.
Their extortion practices are accompanied by a robust source code: “They have layers and layers and layers of what we call packers, or custom encryption,” Derek Manky, head of threat analysis at Fortinet, explained to Clarín.
“My best analysts can work on a trivial piece of malware, like a trojan or something that isn’t encrypted, and they can write a full report in 24 hours, with lots of detail. With LockBit it can take up to 2 weeks to workbecause there are many hours to review everything, ”the expert graphically represented.
However, some ransomware groups have been caught. At the beginning of last year it fell REVOLT, Russian group on trial. And in late January, the FBI, along with other international security forces, dismantled Hive, another group that has taken over some 1,500 entities in 80 countries, albeit without detainees.
The practice is spreading and Argentina is no exception: Fortinet detected 200% more attacks from 2021 to 2022 in the country, while the Latin American and Caribbean region experienced more than 360,000 million cyber attack attempts.
Incident response ends up marking each case: how they recover and, most importantly, how they communicate (or not) to those affected.
Linda Price is a tech expert at News Rebeat. With a deep understanding of the latest developments in the world of technology and a passion for innovation, Linda provides insightful and informative coverage of the cutting-edge advancements shaping our world.