Devastating Ransomware Attacks in Chile and Montenegro Shut Down Government Agencies and Banks

A series of ransomware attacks in Chile and Montenegro have caused massive damage, shutting down banks and government agencies and even prompting a call to North Atlantic Treaty Organization (NATO) partners for aid. ’emergency.

Montenegro faces an ongoing brutal campaign of ransomware attacks that appear to originate from criminal groups in Russia and target government websites. A member of NATO since 2017, Montenegro has asked for help from the United States to repel these attacks. Chilean government agencies have also been hit by a new form of ransomware that targets Linux servers, and at least one has been threatened with “double extortion” of stolen information.

Government agencies hit by highly damaging ransomware attacks, brand new strain seen

Montenegro is receiving support from the FBI’s Cyber ​​Action Team after a number of government websites were hit by ransomware attacks and disabled. The attacks appear to be opportunistic as they come during a time of political turmoil in the country, with the current government toppled in mid-August in a vote of no confidence. However, there is as yet no determination of the state-backed advanced persistent threat groups involved; the ransomware attacks seem to originate from Russia, but at this point they appear to be the work of profit-seeking criminal groups.

Nonetheless, ties to Russia prompted the country’s national security agency to seek NATO protection. The European Union has also declared its support, organizing a “multi-country project” that will send experts to the country to help defend its critical infrastructure.

The attackers are using the Cuba ransomware, which has been linked to a core group that operates as a “ransomware as a service” entity. It’s been around since early 2020, but the Montenegro attack contains a new component: a new virus called “Zero Date” that security researchers are still studying.

The Montenegro attack saw several government agencies go offline, apparently out of caution, as the problem is resolved. The Ministries of Defence, Finance and Interior (among others) were unavailable for several days. Ransomware attacks have been associated with Distributed Denial of Service (DDoS) attacks in some cases, a technique that would cast more suspicion on a Russian government operation but is also not entirely unheard of in criminal circles. The country’s power grid was reportedly put under manual control for some time following one of these DDoS attacks.

The US Embassy in the country’s capital is warning travelers that the campaign could disrupt international transportation, utilities and telecommunications for an indefinite period. The government of Montenegro said citizens’ personal data was not compromised, but some services (such as retail sales tax collection) may be interrupted for some time. The attackers claimed to have violated the country’s parliament and stolen source code, financial documents, correspondence with bank employees and tax documents, among other things.

Chile repels similar ransomware attacks

Chilean government agencies have also been heavily hit by ransomware attacks, but from what appears to be a different attacker wielding a whole new strain of ransomware that targets servers running Linux.

The country says at least one unspecified government agency was taken offline in late August, with the attacker demanding ransom payment within three days under threat to sell the data to other criminals via the dark web . The country’s Computer Security Incident Response Team (CSIRT) said the new strain, which has yet to be named, has the ability to evade automated defenses and encrypt removable devices in addition to targeting known flaws in Microsoft and VMware ESXi servers.

While it remains possible that a state-backed APT group was behind one or both of these attacks, ransomware gangs have recently shown an increased willingness to go after government agencies. . They seem to particularly target smaller governments that may not have the IT resources to deal with a deluge of attacks. The recent attack on the government of Costa Rica by the Conti gang is a prime example of how brazen these groups have become; this attack crippled various government services for weeks, but was allegedly carried out by Conti more as a publicity stunt than a serious attempt to obtain a ransom.

There is also the question of the sense of patriotism on the part of criminal groups based in Russia; several openly declared that they would help their government after the invasion of Ukraine began. Even if they do not receive direct orders from Moscow, some of these attacks may be motivated by war.

Other recent attacks on government agencies have taken place in Argentina, the Dominican Republic and Brazil. Commentary by Cybereason Chief Security Officer Sam Curry notes that there have been high-profile attacks of this nature in several other countries as well: “In Greece, last week, the country’s largest natural gas supplier was attacked by the Ragnar Locker ransomware gang. .”

The #ransomware attack in Montenegro saw the Ministries of Defence, Finance and Interior (among others) go offline for several days. Montenegro receives support from the FBI’s Cyber ​​Action Team. #cybersecurity #respectdataClick to tweet

“In Taiwan, a massive DDoS attack has surfaced because it is a fast and must-have tool for quick results and normal ingredients that could accompany more serious and invested attacks. Cyberterrorists and extortion gangs strike at these countries and critical infrastructure operators because they deem them vulnerable. Given the reckless attacks on Montenegro, all nations should be on high alert, regardless of geographic or political proximity to the Ukrainian-Russian conflict,” Curry said. “To protect against DDoS attacks and ransomware, public and private sector organizations must prepare for peacetime and ensure network connectivity redundancy and have mitigation strategies ready. And don’t just prepare for volumetric attacks (there are more types of DDoS than just flooding), but also practice good security hygiene and regularly update and patch operating systems and other software. Also perform periodic tabletop drills and drills with people beyond the security team to the executive suite. »

Ashley C. Reynolds