Pierluigi Paganini November 21, 2024
Mexico’s president announced the government is investigating an alleged ransomware hack that targeted the administration’s legal affairs office.
“Today they are going to send me a report on the supposed hacking.” President Claudia Sheinbaum said during her morning press briefing.
The authorities launched an investigation after the ransomware gang Ransomhub claimed the attack and published samples of personal information from a database of government.
Ransomhub claimed to have stolen 313 gigabytes of data from the Mexican government office. Stolen files allegedly include contracts, insurance, and financial documents.
The ransomware gang published a sample of stolen files on its leak sites that appears to be originated from a government employee database.
This is not the first time Mexico’s presidential office has been targeted in a hack involving sensitive information.
“In January, someone leaked the personal information of 263 journalists who had signed up to cover presidential activities.” reported the Associated Press. “In that case, officials at the president’s press office later said the information appeared to have been downloaded using the password of a former employee.”
RansomHub is a relatively new ransomware-as-a-service (RaaS) group that emerged in early 2024. It has quickly gained notoriety for its aggressive tactics and focus on critical infrastructure sectors. RansomHub is a ransomware as a service (RaaS) that was employed in the operations of multiple threat actors. Microsoft reported that RansomHub was observed being deployed in post-compromise activity by the threat actor tracked as Manatee Tempest following initial access by Mustard Tempest via FakeUpdates/Socgholish infections.
Experts believe RansomHub is a rebrand of the Knight ransomware. Knight, also known as Cyclops 2.0, appeared in the threat landscape in May 2023. The malware targets multiple platforms, including Windows, Linux, macOS, ESXi, and Android. The operators used a double extortion model for their RaaS operation.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Mexico)