A group of hackers that claims to have infiltrated the computer servers of the National Lottery (Lotenal) has threatened to reveal confidential information if the agency refuses to cooperate with it.
A criminal group claims to have accessed Lotenal’s servers last Thursday using Avaddon ransomware, malicious software (also known as malware) that has been used in numerous cyberattacks in several countries.
The group demanded the payment of a ransom within 10 days in exchange for not leaking information it stole. The amount it is asking for is unknown.
“… We have data such as all contracts and agreements from 2009 to 2021, legal documents, correspondence, finance, notarial data, outsourcing, and much more,” the group said in a statement published online. “Also remember that data cannot be decrypted without our general decryptor. And your site will be attacked by a DDoS [distributed denial of service] attack,” it said.
Lotenal has neither confirmed nor denied that it was the victim of a cyberattack. It said on Friday that it was updating its systems and that this was causing some interruptions to its online services. On Saturday, the criminal group published another statement.
“Apparently the [agency] does not quite understand the seriousness of this situation and wants to hide the fact that they were hacked and we stole data from their servers,” it said.
“… What if we say that we have a lot of confidential data (see photo below), such as sexual harassment in the workplace, unpleasant incidents and a lot of dirt associated with your [agency]? If you continue to lie to everyone and do not contact us on this fact, then we, in turn, are ready to surprise all who follow the news related to our blow to your companies with very interesting documents that we have.”
The group published an image of a redacted federal government document about a case in which a Lotenal cleaner was a victim of sexual harassment.
According to Hiram Caramillo, co-founder and director of information security at the cybersecurity consulting firm Seekurity, groups that use ransomware such as Avaddon are “criminals that earn millions of dollars” through extortion.
He said that Lotenal should be working to ensure that Avaddon ransomware is no longer being used to infiltrate its systems. Caramillo also said the lottery agency must identify what information has been stolen.
“It’s not the first time that a company that has been hacked denies the attack,” he said, referring to Lotenal’s decision not to publicly acknowledge the cyberattack.
Nor is it the first time that ransomware groups respond to companies that refuse to cooperate, he said. “The same situation has already happened several times,” Caramillo said.
According to the United States Federal Bureau of Investigation (FBI), Avaddon ransomware was first advertised on Russian-language hacking forums as a ransomware-as-a-service, or RaaS, product. Raas refers to the sale of malware to would-be hackers via a subscription model. Hackers that do not have the skills to write and deliver their own ransomware code to victims can do so by buying Raas products on the dark web. The ransomware developers typically get a cut of the victim’s payment.
According to the cybersecurity research company Group-IB, almost two-thirds of ransomware attacks worldwide that it analyzed during 2020 came from cybercriminals operating on a RaaS model.
The FBI said in a statement issued earlier this month that it had received notifications of unidentified online criminals using Avaddon ransomware against U.S. and foreign companies, manufacturing organizations, and healthcare agencies.
“Avaddon ransomware actors have compromised victims through remote-access login credentials. … After [they] gain access to a victim’s network, they map the network and identify backups for deletion and/or encryption,” the FBI said.
“… The actors threaten to leak the victims’ data to The Onion Router (TOR) network unless their ransom demand is paid in virtual currency within days of infection. Avaddon’s extortion tactics progress from a warning to a partial data leak and, finally, to a full data leak of all exfiltrated files,” it said.
There have been Avaddon attacks in the United States, Europe as well as in Latin American countries such as Brazil, Chile, Peru and Costa Rica.
The cyberattack on the National Lottery is the second on a federal government agency since President López Obrador took office in late 2018. The state oil company Pemex was targeted in a 2019 attack in which hackers demanded the payment of about US $5 million in bitcoins.