Argentina’s official immigration agency, Dirección Nacional de Migraciones, has been attacked with Netwalker ransomware, which temporarily halted border crossings into and out of the country, according to Bleeping Computer.
Although ransomware attacks against cities and local agencies have become all too common, this may be the first known attack against a federal agency that disrupted an entire country.
According to a criminal complaint published by the Argentine cybercrime agency Unidad Fiscal Especializada en Ciberdelincuencia, the government first became aware of the ransomware attack after receiving numerous technical support calls from security checkpoints around 7 am on August 27.
“It was found out that this is not a common situation, since the activity of a virus was noticed that affected MS Windows-based system files (mainly ADAD SYSVOL and SYSTEM CENTER DPM) and Microsoft Office files (Word, Excel, etc.), located in users’ workspaces and public folders," the translation of the complaint reads.
To prevent ransomware from infecting other devices, computer networks used by immigration and security checkpoints have been disabled.
According to the Argentine news site Infobae, this resulted in a temporary suspension of border crossings for four hours until the servers were brought online.
“The Integrated Migration Control System (SICaM), which operates at international border crossings, has been particularly affected, resulting in delays in entering and exiting the national territory,” the National Directorate for Migration (DNM) said.
Government sources told Infobae that "they won’t negotiate with hackers and aren’t overly concerned with getting this data."
Netwalker demands $4 million ransom
When Netwalker performs an attack, it leaves ransom notes on encrypted devices. These ransom notes contain links to a shady payment website that contains information on how to purchase the decryptor, the ransom amount, and details of any unencrypted files that were stolen during the attack.
BleepingComputer was able to visit the Netwalker payment page on the Tor network, where they learned that the attackers initially demanded a $ 2 million ransom .
After seven days, the ransom amount increased to $4 million, or roughly 355 bitcoins, as shown below in the image of the Dirección Nacional de Migraciones ransom page.
Image: Bleeping Computer
This site also has a "Stolen Data" page that displays a screenshot of the data stolen from "Migraciones Argentina" during this attack.
Image: Bleeping Computer