Ransomware attacks have become quite prominent in the past few months, with criminals deploying malware at an alarming rate. However, while individuals and businesses are usually the top targets, a ransomware operation recently infected Argentina’s border control agency too.
“Immigration is Down”
Over the weekend, Bleeping Computer reported that a group of ransomware attackers breached Dirección Nacional de Migraciones, Argentina’s immigration agency, on August 27. The report explained that the group had used the NetWalker ransomware, and they initially asked the immigration agency to pay $2 million to get their files back.
A ransom note that the hackers sent to the Tor payment page read, “Your files are encrypted. Only way to decrypt your files is [sic] buy the decrypter program.” The group also posted a patch of sensitive information online to prove that they weren’t bluffing and were indeed in control of the agency’s files.
In a Tor payment page seen by BleepingComputer, Netwalker originally demanded $2 million for a decryptor the and deletion of stolen files. After seven days, this amount increased to $4 million. pic.twitter.com/CTmjPHshVv
— BleepingComputer (@BleepinComputer) September 6, 2020
About a week after the initial attack, the group increased the ransom to about $4 million, upping the stakes even more. Local news source Infobae reported that the attack had stopped all border crossings in and out of Argentina for four hours. During this time, authorities disconnected all computers belonging to immigration officials at both checkpoints and regional offices. The officials remain defiant, explaining that they don’t care about retrieving the data and will not negotiate with the hackers.
NetWalker’s Growing Rap Sheet
The group that attacked Argentina’s immigration agency definitely knew how to pick their malware. NetWalker is one of the top ransomware variants globally, and it has grown particularly prominent in 2020.
Although initially discovered in 2019, NetWalker has seen steady adoption this year. Last month, cybersecurity firm McAfee Labs reported that the ransomware’s operators had collected about $25 million in payments across four months of this year alone. The group reportedly gathered about 2,795 BTC from march 1 to July 27.
The report cited that NetWalker is a “ransomware-as-a-service” malware, noting that the gang usually splits its bitcoin cume across different addresses. McAfee also pointed out that the gag has managed to generate such a massive amount of money due to an affiliate revenue sharing system that it offers to other users.
To support its business model, the NetWalker gang also switched from using legacy Bitcoin addresses to SegWit addresses. This move is in line with their pivot to becoming a ransomware-as-a-service, and it will allow them to access quicker transactions at a fraction of the original cost for transacting on legacy wallets.
While it’s unclear what the resolution to the case is, this incident shows that ransomware attackers have become increasingly confident in their abilities to bring anyone down. If a sovereign country’s immigration agency can fall victim to a ransomware attack, it almost seems like there’s on escape from these criminals.
The incident also shows that the trend of ransomware attacks is, sadly, here to stay. Individuals and companies have known to stay on high alert for ransomware attacks. Now, countries have to join in as well.