The National Lottery has become the latest victim of Avaddon, a group of hackers of Russian origin with a history of more than 170 infected companies. The cyber attack on the Mexican institution took place two weeks ago, but it did not admit it until Monday. “A theft of information was detected in the administrative area of the National Lottery, formerly Sports Forecasts, by criminals who operate internationally,” the statement said. Among the stolen data are financial, legal and human resources documents, as well as contracts signed from 2009 until now. Hackers also have information about a case of sexual harassment within the company.
This type of attack, known as ransomware, it is a kidnapping of information, equipment and servers; In exchange for regaining control, criminals demand a ransom. In this case, the hackers are blackmailing the National Lottery by making the compromised documents public if they do not pay within the next five days. So far the required economic amount has not been revealed, but according to a document from the Australian Cybersecurity Center for this type of cyber attack, around 0.73 bitcoins are usually requested, which translates into $ 40,000, about 800,000 Mexican pesos.
Hiram Camarillo, Director of Information Security at Seekurity, he was the one who raised the alarm last week about what happened with the National Lottery. The hackers spread the cyber attack on their blog, located at deep web (the so-called deep internet, where regular search engines do not reach). They attached internal emails and screenshots of contracts, meetings and payments as evidence. For days, the Mexican institution did not comment. And the criminals insisted: “Apparently the company does not understand the seriousness of this situation and wants to hide the fact that they were hacked and we stole data from their servers.”
“We have a lot of confidential data like sexual harassment cases, nasty incidents and a lot of dirt associated with your company. If you continue to lie to everyone and do not contact us, we are ready to surprise everyone who follows the news, “threatened Avaddon in his latest update. While the counter is still red and going down: there are five days and a few hours left for the information to be filtered.
Camarillo assures EL PAÍS that Avaddon “is a serious group” and that he does not lie in his threats. First registered in 2019, it is one of the five largest and most active cybercriminal groups. Its list of victims includes the operations of AXA Group in Asia, Cuatro Barras in Brazil, Grupo Active and Fornesa SL, in Spain, the Febancolombia fund in Colombia or companies from Canada and Saudi Arabia. Its origin is located in Russia since tools have been identified in Russian and also because they do not attack companies located in the so-called Commonwealth of Independent States, which includes Russia, Ukraine and Belarus, explains this cybersecurity expert.
“This is a very serious incident,” says Atul Narula, a cybersecurity researcher at the International Institute of Cybersecurity. Recommendations to the company after this attack include cleaning up the network, improving data protection and, above all, finding out how the virus entered. “They have to know how they got in. Today it is Avaddon, tomorrow it may be another group ”, says this expert. Due to the type of data that was leaked – including the minutes of several companies – Narula assures that the National Lottery should notify the affected companies because with the compromised data the identity of a person or company can be stolen.
The Mexican institution has ensured that it has the advice and support of the National Digital Strategy Coordination (CEDN) and that the raffles and contests system has not been affected by the cyber attack.
The attack starts with an email
Type attacks ransomware they usually reach companies by email. The workers receive an email containing some trick – from compromised photo threats to attractive images or texts – that get an employee to click and download the files. This technique is known as phishing (fishing). From that moment, and in a matter of a few minutes, the virus spreads and infects computers and servers. From there, it encrypts the information on the network and blocks it. “Sometimes a ransom note appears on computers explaining who they are and the instructions you have to follow. They leave you an ID, so you can enter the groups page “, says Camarillo,” there are groups of ransomware they have their own customer service. There you start to see how much money you are going to pay them and if they are open to negotiate ”.
None of the experts recommend paying. In fact, the FBI itself discourages hacked companies from doing so. On the one hand, the payment of the ransom serves to strengthen the criminal group, and also because the information has already been stolen and there is no guarantee that it will not be leaked at another time.
This cyber attack is further proof of the vulnerability of Mexican companies and organizations. The culture of cybersecurity is null, points out Caramillo, who refers, for example, more than 16 pages of the Government of Mexico that are abandoned and attacked by hackers. “There are many bad configurations, the Government does not respond, it never contacts us,” he explains.
In 2019, the target of the cyberattack was Pemex. In a more serious attack than now, they kidnapped 5% of the equipment, affected the Veracruz and Tabasco refinery and central servers. The following year it was the turn of the National Insurance and Finance Commission, who had more than 10 gigabytes of confidential information stolen for which they asked for a million dollars. “The situation is very bad,” sums up the researcher from the International Institute of Cybersecurity, “many Mexican companies are being attacked.”
Subscribe here to newsletter of EL PAÍS México and receive all the informative keys of the current situation of this country
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.