The Córdoba Judiciary in Argentina has shut down its IT systems following a ransomware attack, which was allegedly carried out by the new ‘Play’ ransomware operation. The incident occurred on Saturday, August 13th, and forced the Judiciary to take down its online portal and IT infrastructure. Additionally, the downtime makes it necessary to file formal documents using pen and paper.
The Judiciary acknowledged that it had been infected by ransomware and collaborated with Microsoft, Cisco, Trend Micro, and local experts to investigate the incident, according to a “Cyberattack Contingency Plan” provided by Cadena 3. According to a Google translation of the plan, the Court of Cordoba will be subject to a cyberattack on Saturday, August 13, 2022, due to ransomware that has disrupted the availability of its IT systems.
The reports cited by Clarn reveal that the attack was the “worst on public institutions in history” since it impacted the judiciary’s databases and IT systems. Journalist Luis Ernest Zegarra tweeted that the Judiciary was targeted by ransomware that adds the “.Play” extension to locked files, despite the Judiciary withholding specifics of the incident. The ‘Play’ ransomware attack that debuted in June 2022 is linked to this extension.
Threat actors will break into a network and encrypt devices, as is the case with all ransomware operations. The malware will add the .PLAY extension before encrypting files. The Play ransom messages are exceptionally short and straightforward, unlike most ransomware operations that leave long ransom notes to deliver grave warnings to their victims. Play’s ReadMe.txt ransom note, which contains the word “PLAY” and a contact email address, is written at the root of a hard drive (C:\). Other ransomware creates notes in each folder.
It is uncertain how Play gained access to the Judiciary’s network. Still, the Lapsus$ breach of Globant in March resulted in the exposure of a list of staff email addresses, which would have given threat actors the opportunity to launch a phishing attack and obtain login information. There is no proof that the ransomware group has leaked any data or that any data has been taken during an attack. This is not the first ransomware attack on an Argentine government organization. The Dirección Nacional de Migraciones was hacked by the Netwalker ransomware group in September 2020, and they sought a $4 million ransom.