Onyx and Guatemala

10901610873?profile=RESIZE_400xGuatemala’s Foreign Ministry reporting it is currently investigating a ransomware attack that occurred earlier this year.  The Ministry of Foreign Affairs shared the Law on Access to Public Information with The Record and said they were unable to comment on the cyberattack because of it.  “The Ministry is not in a position to respond to your request, since it is in the investigation phase,” a spokesperson said.[1]

Group: onyx

Approx. Time: 2022-11-21 08:12:06.653586

Title: https://t.co/vlKIfz1EOP

— Ransomware News (@RansomwareNews) November 21, 2022

The Foreign Ministry was added to the leak site of the Onyx Ransomware Group on 27 September and was added again on 21 November 2022.  The ransomware group emerged in April, and by May researchers from BlackBerry discovered it was constructed from the Chaos v4.0 Ransomware Builder. The ransomware made waves because it simply destroyed larger files instead of decrypting them, making it impossible to recover even when a ransom is paid.  “This particular threat group would infiltrate a victim organization’s network, steal any valuable data it found, then would unleash “Onyx ransomware,” their own branded creation based on Chaos Builder v4.0,” the researchers said.  “The Onyx group simply customized their ransom note and created a refined list of file extensions they wished to target. There is little other modification to differentiate it from any other samples built with Chaos v4.0.”

Last month, Dragos cybersecurity researchers noted that the organization was one of the groups targeting critical infrastructure operators.  Latin American governments and militaries have squared off against dozens of ransomware groups over the past year.

10901618282?profile=RESIZE_400xWhile the Conti ransomware group garnered the biggest headlines for their crippling attack on the entire government of Costa Rica, several other groups have targeted legislatures, government agencies, regulators and businesses across the region. The legislature of Argentina’s capital city announced a ransomware attack on 13 September and Argentina’s Judiciary of Córdoba was attacked by a ransomware group in August.  Two weeks before that, Chile’s cybersecurity incident response team said an unnamed government agency was dealing with a ransomware attack that targeted the organization’s Microsoft tools and VMware ESXi servers.

The Dominican Republic, meanwhile, announced that it was refusing to pay a ransom following an attack on one of its departments on August 26.  Ransomware groups similarly targeted the Secretary of State for Finance of Rio de Janeiro in April and crippled the government of Costa Rica in May.  There have also been several other rumored attacks on South American nations that were never confirmed.

Half a million taxpayers and 50,000 police have their information stolen by attackers

El Economista reports the General Council of the Judiciary (CGPJ) suffered a cyberattack on its Punto Neutro Judicial (PNJ) platform that connects judicial bodies with other government agencies, including the National Police Force, the Attorney General’s Office, and the General Secretariat of Penitentiary Institutions.[2]  DataBreaches sent an email inquiry on 7 November but received no reply.  An email was also sent to Spain’s regulator, AEPD, asking if they had been notified.  No reply was received from them, either, but on 8 November, the CGPJ announced the cyberattack that they had detected in October 2022.  Their statement indicates that the attackers used the PNJ platform to gain access to other public government institutions, but that no data relating to judicial proceedings or other information held by the courts and tribunals had been compromised. Relevant agencies were notified as was the AEPD.

On 11 November, El Hacker reported that attackers were able to hit the Treasury Information Services, and exfiltrated information on half a million Spanish taxpayers. They were also able to access the General Police Directorate and obtained the personal information on 50,000 police officers.  CGPJ’s statement does not indicate who the attackers are or whether there was any ransom being negotiated.  DataBreaches has not spotted this incident on any dedicated leak site by time of this publication.

In November of 2022, the APM Terminals in Guatemala were targeted by a ransomware attack, according to media Version2.  The company will only confirm that the port, “is currently facing some isolated technical issues.”  This attack likely the direct result of the earlier cyber-attack.[3] 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com      

Weekly Cyber Intelligence Briefings:

 

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

 

[1] https://therecord.media/guatemalas-foreign-ministry-investigating-ransomware-attack/

[2] https://www.databreaches.net/bits-n-pieces-trozos-y-piezas-16/

[3] https://shippingwatch.com/carriers/Container/article14596551.ece

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!