The Chilean national consumer protection agency is undergoing a ransomware attack affecting online services with little indication of when its online presence might be restored.
The country’s computer response team, CSIRT, earlier this week publicly shared details about the attack, saying it affected Windows and VMware virtual computer servers. The malware has the ability to stop all running virtual machines and encrypt files with a [.]crypt extension.
Chile’s National Consumer Service – better known as SERNAC – tweeted on Aug. 25 that its website was offline following a cyberattack. As of publication, the agency website remains offline. A government representative told Santiago newspaper El Mercurio the attack hasn’t spread to other governmental departments. CSIRT says the attacker posted a ransom note containing a unique ID and a communication channel link to establish contact.
The attacker threatened to sell data on the dark web if their demands are not met within three days, CSIRT says – a period of time that has apparently lapsed.
Ingrid Inda, head of the bureau of network and IT security within the Ministry of the Interior and Public Safety told El Mercurio the government is hewing to its policy of not paying ransoms.
— Sernac – Chile (@SERNAC) August 25, 2022
Payload and TTPs
The strain of ransomware used in the attack targets log files, executable files, dynamic library files, swap files, virtual disks, snapshot files and virtual machine memory files in the compromised system. It uses the NTRUEncrypt public key encryption algorithm.
The strain does not just drop a ransomware payload – it is equipped with antivirus detection evasion and information-stealing capabilities that help it exfiltrate credentials from browsers and list removable devices such as hard disk and USB drives.
Germán Fernández Bacian, a security researcher at Chilean cybersecurity company CronUp, says he has a sample of the malware used in the SERNAC attack. Fernández says the ransomware deletes backups of the operating system before encryption using vssadmin delete shadows /All /quiet.
“It is one of the most-used commands by ransomware operators,” says Fernández. “If you’re not monitoring this, you’re missing out on an important detection opportunity for these types of attacks.”
The sample uploaded by Fernández to Malware Bazaar suggests involvement by notorious ransomware group Conti (see: After Conti Ransomware Brand Retires, Spinoffs Carry On).
Fernández says he is unable to identify the ransomware family, as it could be a “new variant” or an updated old variant. He told news site La Tercera the same malware was seen only twice – once in an attack that took place in Canada and again in an attack that took place in the Netherlands.
CSIRT head Carlos Silva told El Mercurio that initial indicators point to Conti. Still, so many ransomware programs are sold on the dark web that it’s difficult to know who exactly is behind any single attack, Silva said.