The ledesma group, one of the largest sugar mills in Latin America, suffered a ransomware cyberattack this Wednesday night. The company confirmed to Clarion that from the systems department they did not communicate with Lockbitthe group of cybercriminals who sent them a note informing them that they had been hacked.
“Last night Ledesma suffered a ransomware attack. We have already taken preventive measures and so far the blocking systems are responding well, without major consequences. We are going to continue monitoring the impact in the next few hours,” they explained to this medium.
The company, which belongs to the Blaquier family -one of the richest in Argentina- is one of the most important mills in Latin America. It is not only dedicated to the production of cane sugar, but also to all its derivatives, from paper (notebooks, ream sheets) to biofuels. Their business is diversified and they also have citrus plantations, being one of the largest exporters of lemons and oranges.
Ransomware attacks encrypt victims’ data and ask for a ransom in money in returnusually in cryptocurrencies so as not to be located.
They are becoming more frequent and are being suffered by companies all over the world, from companies like Colonial Pipeline in the United States to the Senate of the Argentine Nation, at the beginning of this year.
“The Lockbit ransomware group has just attacked Ingenios Ledesma, encrypting their files and requesting a ransom to return the information and not publish what happened. They left two notes asking for ransom: a digital one, which is a text file with instructions for paying the ransom; and another physical one, repeatedly printed on printers on the compromised network”, Mauro Eldritch, an expert and consultant in computer security, explained to Clarín.
“That is, the employees found several copies stacked in their printer trays upon arrival, in addition to having the copy of the ransom note on their desk,” he clarified.
The figure demanded by cybercriminals is not yet known. However, Lockbit has a history of extortion with high amounts: They target great players.
“They can ask between 200 and 400 thousand dollars. The amounts can rise as the days go by, especially if an agreement is not reached”, explains the cybersecurity architect. The amounts are known once the victim initiates a dialogue, via chat, with those who steal the information.
Another question that usually arises in these cases is what type of information was encrypted: “It is impossible to know blindly, but a company of this magnitude must be considered critical. Also, Lockbit does not usually target small victims and it shows with their high ransom demands,” he adds.
Finally, Ledesma did not speak of deadlines, since by ensuring that there was no contact with cybercriminals, it is not available information. In previous cases, Lockbit has given 3-4 days to negotiate. After that time, they publish all the information on the dark web.
The way in which ransomware enters a computer is diverse. It can be from a malicious email that an employee opens, or from a file sent through an online messaging service.
Lockbit: serious cybercriminals
Unlike Lapsus$, the group of cybercriminals that carried out the most resounding attacks of these weeks, from Nvidia and Samsung to Globant and Mercado Libre, Lockbit has more muscle: they have their own ransomware.
That is, this group has its own program that, once it is executed on a computer, spreads throughout the network. and prevents access to files.
When encrypting the files, LockBit changes the extension to “.abcd” to render them inoperative (although they can use any extension). Once they are decrypted (by using a program called “decrypter”), they leave a text file called “Restore-My-Files.txt” to recover the information.
“LockBit, initially known as ABCD due to the extension it adds to encrypted files, started in 2019 and has since become one of the most prolific ransomware gangs. LockBit works on the basis of a ‘ransomware as a service’ [RaaS]which means that it actually ‘rents’ to people who then use the ransomware to carry out attacks. And those people can be based anywhere in the world, perhaps even in Argentina”, explains Clarín Brett Callow, a computer security analyst at Emsisoft.
Lapsus$, on the other hand, works through social engineering: recruiting employees who actively give up their credentials to harm targeted companies.
Lockbit, on the other hand, has a much more powerful infrastructure that has already been uploaded to several companies around the world: Bridgestone, Microsoft (Windows domains), Bangkok Airways and even a network of UK railways.
In February of this year, the FBI released some of its attack techniques, along with tips on how to defend yourself.
The band, however, continues to wreak havoc with its ransomware.