Chile says gov’t agency struggling with ransomware attack

Chile’s cybersecurity incident response team said an unnamed government agency is dealing with a ransomware attack that targeted the organization’s Microsoft tools and VMware ESXi servers. 

Chile’s CSIRT said the attack started last Thursday but did not respond to requests for comment about what group was behind the attack or what department or agency was attacked. 

In a statement, the cybersecurity agency explained that during the attack, the extension “.crypt” was added to all files in the department’s system. 

Desde el CSIRT de Gobierno compartimos con ustedes algunos indicadores de compromiso que encontramos en relación con el ataque de ransomware sufrido por una entidad gubernamental y que informamos el jueves #CSIRTGob #ciberseguridad https://t.co/G4zDrVNLld pic.twitter.com/pT8oOntJN2

— CSIRT GOB CL (@CSIRTGOB) August 29, 2022

Recorded Future ransomware analyst Allan Liska said the extension is associated with the Thanos ransomware but it has also been associated with about a handful of other variants. 

“Which means it could be any number of families,” he explained. 

Chile’s cybersecurity agency said the attacker was able to take complete control of the victim’s system and left a ransom note, offering a communication channel and ways to contact them. 

The ransomware encrypted a wide variety of files and also included infostealer characteristics that took credentials from browsers, listed connected devices and drives, and had antivirus evasion capabilities. 

The group threatened to sell the information on the dark web if the unnamed agency didn't respond within three days. 

No ransomware group has taken credit for the attack yet. Chile’s cybersecurity officials included some indicators of compromise and malware characteristics in their statement on the incident. 

They urged other government agencies to make sure their Microsoft and VMware assets are patched, institute network segmentation and contact cybersecurity officials in the event of any attack. 

Ransomware groups continue to show little fear in directly attacking governments, and over the past few months several Latin America and Caribbean nations have been hit. Chile's own consumer protection agency announced last week that it was hit with ransomware in April. No group has come forward to take credit for the attack.

#SERNACinforma | Ante la caída de nuestras plataformas, informamos lo siguiente: pic.twitter.com/3qmC1bL9ra

— Sernac - Chile (@SERNAC) August 25, 2022

Last week, the Dominican Republic announced that it was refusing to pay a ransom following an attack on one of its departments. Argentina's Judiciary of Córdoba was attacked by a ransomware group two weeks ago. 

Ransomware groups targeted the Secretary of State for Finance of Rio de Janeiro in April and crippled the government of Costa Rica in May. There were also several other rumored attacks on South American nations that were never confirmed. 

The largest supermarket chain in Trinidad struggled to recover from a cyberattack that caused outages at all of its locations throughout the country in May while hackers took control of the Twitter account of Brazilian retail giant Fast Shop in June.