Unknown Threat Actor Attacks National Consumer Service of Chile

An unknown threat actor has attacked the National Consumer Service of Chile. The Government CSIRT (Computer Security Incident Response Team) issued a report on an ongoing incident that affected a government service on Thursday, August 25. The incident resulted in the interruption of the service's systems and online services. The incident is attributed to a ransomware attack that specifically targeted Microsoft and VMware ESXi servers within the organization's corporate networks.

The ransomware employed in this attack has the capability to halt all virtual machines currently running and encrypt files associated with these virtual machines. Upon infection, the affected files undergo a change in their extension to ".crypt". Subsequently, the attacker gains complete control over the victim's system and leaves a ransom message specifying the amount of data that has been hijacked. The message includes a communication channel and a unique ID for contacting the attacker. A three-day deadline is given for communication; otherwise, the attacker threatens to render the data inaccessible to the organization and offer these assets for sale to third parties on the darkweb.

The ransomware utilizes the NTRUEncrypt public key encryption algorithm, with a particular focus on targeting log files (.log), executable files (.exe), dynamic library files (.dll), swap files (.vswp), virtual disks (.vmdk), snapshot files (.vmsn), and memory files (.vmem) of virtual machines, among other file types. Moreover, the malicious program associated with the ransomware also possesses infostealer features, which include:

• Stealing credentials from web browsers.
• Listing removable devices such as HDDs and flash drives.
• Exhibiting antivirus evasion capabilities using timeouts.