A set of ransomware attacks in Chile and Montenegro has caused substantial damage, shutting down banks and government agencies and even prompting a call to North Atlantic Treaty Organization (NATO) partners for emergency assistance.
Montenegro is dealing with a brutal ongoing campaign of ransomware attacks that appears to be coming from criminal groups in Russia and targeting government websites. A member of NATO since 2017, Montenegro has requested help from the United States in fending off these attacks. Government agencies in Chile have also been hit by a new form of ransomware that targets Linux servers, and at least one has been threatened with a “double extortion” dump of stolen information.
Government agencies hit with highly damaging ransomware attacks, one entirely new strain observed
Montenegro is receiving support from the FBI’s Cyber Action Team after a number of government websites were hit with ransomware attacks and disabled. The attacks appear to be opportunistic as they come during a period of political unrest in the country, with the current government being ousted in mid-August in a vote of no confidence. However, there is not yet a determination of state-backed advanced persistent threat groups being involved; the ransomware attacks appear to be coming from Russia, but at this point appear to be the work of criminal groups seeking profit.
Nevertheless, the ties to Russia prompted the country’s national security agency to ask NATO for protection. The European Union has also declared support, organizing a “multicountry project” that will send experts to the country to assist in defending its critical infrastructure.
The attackers are using the Cuba ransomware, which has been tied to a central group that operates as a “ransomware as a service” entity. It has been in circulation since early 2020, but the Montenegro attack contains a novel component: a new virus called “Zero Date” that security researchers are still examining.
The Montenegro attack saw multiple government agencies go offline, reportedly out of an abundance of caution as the issue is remediated. The ministries of defense, finance and the interior (among others) were down for multiple days. The ransomware attacks have been paired with distributed denial-of-service (DDoS) attacks in some cases, a technique that would throw more suspicion on a Russian government operation but is also not entirely unheard of in criminal circles. The country’s electrical grid was reportedly switched to manual control for some amount of time as a result of one of these DDoS attacks.
The US embassy in the country’s capital is warning travelers that the campaign could disrupt international transportation, public utilities and telecommunications for an indeterminate period of time. The Montenegro government said that the personal data of citizens has not been compromised, but that certain services (such as retail tax collection) could be disrupted for some time. The attackers have claimed that they breached the country’s parliament and stole source code, financial documents, correspondence with bank employees and tax documents among other items.
Chile fends off similar ransomware attacks
Chile’s government agencies have also been strongly impacted by ransomware attacks, but from what appears to be a different attacker wielding an entirely new strain of ransomware that targets servers running Linux.
The country says that at least one unspecified government agency was taken offline in late August, with the attacker demanding a ransom payment within three days under threat of selling the data to other criminals via the dark web. The country’s Computer Security Incident Response Team (CSIRT) said that the new strain, which has not yet been named, has the ability to evade automated defenses and encrypt removable devices in addition to targeting known flaws in Microsoft and VMware ESXi servers.
While it remains possible that a state-backed APT group is behind one or both of these attacks, ransomware gangs have been showing an increased willingness to go after government agencies as of late. They particularly seem to target smaller governments that may not have the IT resources to keep up with a barrage of attacks. The recent attack on the government of Costa Rica by the Conti gang is an excellent example of how brazen these groups have become; that attack crippled assorted government services for weeks, but reportedly was done by Conti more as a publicity stunt than a serious attempt to extract a ransom payment.
There is also the issue of a sense of patriotism on the part of criminal groups based in Russia; several openly declared they would aid their government after the invasion of Ukraine began. Even if they are not taking direct orders from Moscow, some of these attacks may be motivated by the war.
Other recent attacks on government agencies have occurred in Argentina, the Dominican Republic and Brazil. Commentary from Sam Curry, Chief Security Officer of Cybereason, notes that there were high-profile attacks of this nature in several other countries as well: “In Greece, last week the country’s largest natural gas provider came under attack from the Ragnar Locker ransomware gang.”The Montenegro #ransomware attack saw ministries of defense, finance and the interior (among others) go offline for multiple days. Montenegro is receiving support from the FBI's Cyber Action Team. #cybersecurity #respectdataClick to Tweet
“In Taiwan, a massive DDoS attack surfaced because it’s a fast and go-to tool for quick results and normal ingredients that could accompany more serious and invested attacks. Cyber terrorists and extortion gangs are hitting these countries and critical infrastructure operators because they deem them vulnerable. Given the reckless attacks on Montenegro, all nations should be on high alert regardless of how close they are geographically or politically to the Ukrainian-Russian conflict,” said Curry. “To protect against DDoS and ransomware attacks, both public and private sector organizations should prepare in peacetime and ensure redundancy in network connectivity and have mitigation strategies ready. And don’t just prepare for volumetric attacks (there are more kinds of DDoS than simple floods) but also practice good security hygiene and regularly update and patch operating systems and other software. Also, conduct periodic table-top exercises and drills including people beyond the security team all the way to the Executive Suite.”