Cyberattack on pharmacies: Hackers give one month to pay ransom or publish stolen information

Share This Post

- Advertisement -

block tipthe group of cybercriminals that carried out the attack on the Farmalink prescription drug sales system, granted a period of almost a month to negotiate a ransom payment and return the stolen information. After that period, the data will be published.

- Advertisement -

Bizland, the company that manages the Farmalink system, ensures that “the extortion has not been accepted” and that “in principle, no sensitive data of any kind would be compromised”. Lockbit is an international gang that uses ransomware, a type of malware (virus) that encrypts your information to make it inaccessible and demands a ransom in cryptocurrency in return.

Hackers offer “technical support” to victims where they even provide decryption of a file up to 50Kb as a free sample.Clarín confirmed that the possibility of negotiation is open through Lockbit’s dark website, where Bizland didn’t initiate the dialogue.

- Advertisement -

As of Wednesday this week, the time left to trade it was 28 days and no dialogue had been initiated by the company. It is unknown what amount cybercriminals demand, but Lockbit often demands it $200,000 and up in cryptocurrencies.

Farmalink manages the discount system in pharmacies.  Photo: Rafael Mario Quinteros

Farmalink manages the discount system in pharmacies. Photo: Rafael Mario Quinteros

Bizland filed a legal complaint with the Cybercrime Fiscal Unit (UFECI) headed by Horacio Azzolin. There, the detection of the attack is detailed: after a problem in its datacenter, the network equipment stopped working and the software that manages the virtual machines was disconnected (vSphere).

It was then that the systems area found the file with what is known as ransom note, the kidnapping note that cybercriminal groups leave with their victims: “Your data has been stolen and encrypted. If you don’t pay the ransom, they will be posted on our TOR sites on the dark web. Please note that once your data appears on our leak site, your competitors could buy them at any time”.

According to the complaint filed before the Azzolin court, which he was able to access clarion, “in principle, sensitive data of any kind would not be compromised.” This medium consulted Bizland about the compromised information, but the company decided not to provide details “so as not to promote extortionists.”

However, due to the type of information the company handles (medical prescriptions, user ID and affiliate numbers, addresses, emails, and more), it is also may contain sensitive data.

“The site indicator shows the time remaining before the trade fails ‘by default’, but is subject to very delicate parameters such as the involvement of negotiators or government agents in the matter, or even any action that could be considered disinterestedness or hostility on the part of the victim could lead to advance disclosure as a form of punishment,” explains Mauro Eldritch, Birmingham threat analyst. Cyber ​​weapons.

On the other hand, the term could also be extended: “Gestures of ‘understanding’ such as payment commitments or friendly negotiations can induce the plaintiffs to extend this period, in the same way if it appears a potential buyer other than the victim“, he adds.

Meanwhile, according to Clarín, there are at least a million prescriptions affected and new complications have arisen for users of the service.

Lockbit Ransomware as a Service (Raas)

LockBit was the group with the most attacks in 2022. Source: Kela

LockBit was the group with the most attacks in 2022. Source: Kela

Lockbit is dedicated to what is known as “Big Game Hunting”, or hunting for large targets: they look for victims with large economic positions, which can be companies or governments. Before encrypting they study everything: how much they bill, number of employees and whether they are listed on local stock exchanges.

They use a method known as Ransomware as a Service (RaaS), with “affiliates”. Some cases of resonance in Argentina were Artear (of Hive, an already dismantled group), Arsat, the judicial branch of Córdoba (both of Play)

“Gangs that have this mode sell their malicious code. This usually happens through the dark web: there they sell their encryption program and look for someone to distribute it. The partner or affiliate could be an employee of the attacked company or someone who purchased the service to deposit it with a victim because they have privileged access,” Arturo Torres, Threat Intelligence Strategist for FortiGuard Labs for the Americas Latina and the Caribbean, he explains to Clarin. .

“When ransomware is distributed and a company is infected, extortion and negotiation begin. That is when the gang begins to interact. After negotiation, the profits are shared between the creator of the malicious code, i.e. the group of criminals computer scientists, and their affiliates,” adds the Fortinet expert, Lockbit is known to give 20% of the economic benefit to its partners.

The criminal group already has a history in our country, adding among its victims Ingenio Ledesma, Grupo Albanesi and the prepaid company Osde, with a balance between sensitive data and leaked internal doctors of the company.

“Based on reported cases concentrated in our threat analytics platform Sheriff, we recorded 2,610 ransomware attacks in 2022. So far in 2023 alone (less than half of the year) today we have 1,398. Of these, 387 (over 25%) were caused by Lockbit”, analysis by Clarin Eldritch.

And he clarifies: “It is important to remember that there is a significant black figure in terms of ransomware, as there are many events that go unreported by law enforcement or the judiciary.”

$10 million for a Lockbit member

"Boris", sought after by

“Boris”, wanted by the FBI. FBI photo

This week, the FBI released a bounty against a key player in the Lockbit group and offers 10 million dollars for his head. It is a Russian citizen named Mikhail Pavlovich Matveev, also known as Wazawaka or Boris.

According to the FBI, Boris, 30, is a “central figure” in the development and distribution of ransomware variants. LockBit, Babuk and Hive at least since June 2020.

“Matveev is also identified as one of the main developers of the Babuk ransomware, i.e. the person who “builds” and “improves” malware with which he will infect the victims, and as administrator of his infrastructure, which places him in a central and strategic point of the organization on a double basis,” explains Eldritch.

There is an important fact that the FBI profile highlights, and that is that Boris lacks the ring finger, which the FBI points out in its profile: “In particular, the source code of Babuk has gone through many hands in addition to Matveev’s, one of which is missing the ring finger, which is not a minor detail: this would cause several problems ‘technical’ later”.

“The downfalls of this ransomware did not stop there, since in 2021 and after a series of internal brawls (but exposed in the organization’s forums and channels) a barely 17-year-old Russian affiliate decided to publicly leak Babook source code online. This almost immediately led to new versions specifically designed for VMWare ESXI systemsas well as giving birth to Rook, the first relevant ransomware created by Babuk.

The FBI estimated, based on these underrepresented figures, the collection of these groups: “The total ransom demands allegedly made by members of these three global ransomware campaigns to their victims amount to 400 million dollars, while total ransom payments for the victims amount to $200 million.”

Source: Clarin

- Advertisement -

Related Posts