Last week a long nightmare began IFX Networks. Technical support staff in Bogota attempted to access the management console where they manage connectivity and cloud services for more than 4,200 companies of all sizes in Latin America (1,800 of which are in Colombia) after customer complaints in Chile came from Colombia. It was taken off the air.
(You may be interested in: Cyber attack in Colombia: more serious and delayed than expected)
(Be sure to read: Cyberattack: Former partners of IFX Networks warn of changing shareholders in 2017)
And they couldn’t get in. Instead, a Mario Bros. making the letter ‘V’ representing victory appeared on the screen, with a message in English appearing underneath: “Welcome to RansomHouse, you have been blocked by Mario. If you are reading this message, it means your network infrastructure has been compromised, your critical customer data has been leaked, backups of everything have been destroyed, and information has been encrypted.”
The fear: the feared RansomHouse had hijacked the IFX management platform and its clients’ information. “They tell us that over 700 machines (between physical and virtual servers) are affected. There are many companies and organizations that have made commitments,” Julio César Mancipe, the presidential cybersecurity advisor, told EL TIEMPO.
The impact is said to have occurred in 46 of the government institutions alone; Of these, 25 have connectivity services contracted with IFX Networks, while the other 21 have services and/or applications in that company’s cloud and are therefore the most stable.
(
One of them is the Ministry of Health: They missed the missionary platform Integrated Social Protection Information System (Sispro) and the Mipres app where doctors order medications, treatments, surgeries, everything.
Therefore, the emergency plan ordered by the Minister of Health was to demand that all EPS, hospitals, IPS and other institutions revert to the use of paper and pen.
In this way, for example, they register people who are born and die; We try to move forward with appointments, treatments and therapies, as well as highly complex surgeries and consultations, among other services. The hospital or EPS whose system is active can work, but when data is requested from the Ministry of Health, it is blocked.
(You may be interested in: Costa Rica and other Latin American countries subject to serious cyber attacks)
“They are trying to recover information by asking medical institutions, if they have databases from the ministry, to please report and return them,” explained a person familiar with the PMU, a task that is far from a solution.
There is a risk of collapse in health services for citizens. EL TIEMPO has learned that IFX is aiming to activate its services for its customers on September 22, but there is no certainty that they will be able to achieve this technically.
It was reported that at least two million processes of the judiciary were affected by the attack. Saúl Kattan, senior presidential advisor for Digital Transformationjudicial service platforms were also affected.
Here, the response of the judiciary was to postpone the trial deadlines until September 20, and also called to work in person with paper and pen to continue participating in courts and hearings.
According to a PMU source to EL TIEMPO, the Inspectorate for Industry and Commerce noted that IFX was not cloud applications but was “recovered only because it was a connection client” so it could be quickly reactivated.
Because this was another serious mistake: IFX had backup systems (backup), but not in other different data centers as the theory requires, but in the technological environment where the attack is carried out.
(We recommend reading: Casa de Nariño Technology Manager talks about cyber attacks on organizations)
An engineer working at the organization in question said, “The Ministry of Health is upset because they think that the backup service they paid for was not efficient and not a fully professional backup.”
Another strong criticism the company has received is about excessive privacy. While it is advisable to keep the processes required in such a situation confidential, the Government and affected organizations are deeply concerned that there is little or no information they share to assess and assess the precise scope of the attack.
At the time of writing, IFX had not informed the Government of the exact number of companies affected; nor the type of ransomware that affected it.
“This lack of clarity has created deep confusion and left those affected in a state of unnecessary uncertainty. This undermines the planning and response capacity of these companies,” say experts at Cybersecurity Latam.
The situation is serious. The only progress being made is the working groups between IFX and the main affected organisations: The work of the Ministry of Health, Supersalud, Minatarım and ICA, which started yesterday, and the Presidency An agreement was reached between the parties.
Zscaler’s ‘Ransomware Report 2023’ shows an almost 40 percent growth in such attacks worldwide last year, with a notable trend towards compromising data no longer by encrypting it but by extracting it. Various experts and organizations have warned that Latin America is one of the regions least prepared to face this type of cybercrime.
The judicial committee visited the headquarters IFX Networks in Bogota Accepting the company’s formal complaint. Evidence was taken during the examination; The data determined so far about the method, the type of ransomware code used, and the affected companies have been received. Although it is stated in the PYB statement that 50 public and private organizations requested assistance, it is known that there are many more affected companies and organizations across the country. It is estimated that IFX serves approximately 15,000 clients of all sizes in Colombia alone.
(
There are first references of this group in 2021.
It is alleged that technology companies such as AMD and Adata, as well as healthcare companies such as Colombia’s Keralty, were responsible for the attacks, and that the companies in question demanded US$3 million to regain access to their platforms, an exorbitant payment that was never made.
According to Minsait Cyber Security Director Carlos Contreras, “these organizations operate in a structured way and with specialized roles”: There are virus developers, ransom negotiators, and launderers of the resources they obtain.
Andrés Roldán of Fluid Attacks pointed out that “this group uses a ‘ransomware-as-a-service’ model where they rent the codes of their attacks to others for a ‘success fee’.”
In this case, it is estimated that IFX may demand between 5 and 6 million US dollars for the return of the seized systems. Paying is not recommended, but some experts see it as an option.
“It’s their job and they say they’ll comply if they’re paid, which is bad because it keeps feeding ransomware”explains Fortinet’s Andrés Cajamarca.
The ideal is to have the tools to prevent an attack and recover from it.
JOSÉ CARLOS GARCÍA R.
Multimedia Editor
On X: @JoseCarlosTecno
Source: Exame
