The judiciary in Cordoba, Argentina, South America, was forced to shut down its IT systems due to a ransomware attack, which was reported to be the work of the newly emerged Play ransomware.
The attack, which took place last Saturday (August 13), forced the local judiciary to shut down its IT systems and online portal. During the service interruption, official documents can only be submit in traditional paper form.
According to the “Cyber Attack Contingency Plan” released by Argentine news media Cadena 3, the Cordoba judiciary confirmed that it had suffered a ransomware attack and has launched an investigation into the incident with Microsoft, Cisco, Trend Micro and local experts. They are trying most effort to do data disaster recovery.
As understood by Google Translate, the report mentioned that “on Saturday, August 13, 2022, the technical infrastructure of the Court of Cordoba was hit by a cyber attack, and IT services were affected by ransomware and were unable to function properly.”
Argentine news outlet Clarín also mentioned that a source said that the attack affected the IT systems and databases of the judiciary, which was “the most serious attack on a public institution in the country’s history”.
Attacker is Play ransomware
While the judiciary has not disclosed further details of the attack, journalist Luis Ernest Zegarra has tweeted that they were hit by a ransomware attack that encrypts files with the “.Play” extension.
The extension is linked to the newly emerged “Play” ransomware in June 2022, when the first victims described the attack on the BleepingComputer forum.
Like other ransomware attacks, the malicious Play hackers first broke into the network and then encrypted the device. When encrypting files, the ransomware adds the .PLAY extension, as shown in the image below.
But unlike most other ransomware that leaves a lengthy extortion note and pressures victims, “Play” is a typical “hard talker”.
The ReadMe.txt ransom note for “Play” is not spread across every folder, but only in the root directory (C:\\) of the disk drive. The content is also very concise, with only the word “PLAY” and a contact email address.
The Play gang uses a number of different contact email addresses, so the address above may not be related to the Cordova judiciary attack.
It’s unclear how the Play gang hacked into the judiciary’s network. But in the case of Lapsus$ intrusion into Globant in March this year, there were employees of the justice department who had their mailing address lists leaked. Perhaps the Play gang used this to conduct a phishing attack to steal login credentials.
There is currently no indication that the ransomware gang committed a data breach or that data was stolen during the attack.
This is not the first time an Argentine government agency has suffered a ransomware attack. Back in September 2020, the Netwalker ransomware gang attacked the Dirección Nacional de Migraciones, Argentina’s official immigration office, and demanded a ransom of $4 million.
All organizations and individuals require data security via a VM backup solution, including RHV backup, VMware bakcup and so on. Patient information is crucial in medical institutions since it affects the patient’s personal privacy. Medical institutions, unlike corporations, give services to patients. The patient’s experience and information security are far more important than ordinary people’s experiences. As a result, medical institutions should place a premium on data security. Not only is patient information important, but so is crucial technology data from medical institutions. To safeguard data, a data disaster recovery backup is necessary.