The Government of Mexico has found itself the latest victim of an apparent ransomware attack as the RansomHub cybercriminal gang claims to have breached the nation’s official federal website.
The Mexican government’s gob.mx website address was posted on the ransomware group’s dark leak blog early morning on Friday.
The Russian-linked cartel claims to have exfiltrated 313 gigabytes of information from the website’s servers.
“Gob.mx is the platform that promotes innovation in government, drives efficiency, and transforms processes to provide information, procedures, and a platform for public participation,” RansomHub posted on its site.
The gang has set a deadline of ten days for Mexico’s government to pay an undisclosed ransom demand before publishing the alleged stolen files,which according to the criminals include “Contracts, insurance, financials, confidential files.”
The group has also posted a cache of over 50 sample files which appear to be from a database of federal employees.
The database sample contains personal information on each employee, including the employee’s full name, job title, and color headshot, which government building the employee works at, their email address, phone number extension, and some sort of ID reference number.
There are also several samples of signed government documents from 2023, one addressed to the Mexican government's Director of Information Technology and Communications, Mario Gavina Morales, and what appears to be a transportation contract worth about 100,000 USD.
The Palacio Nacional (pictured above) serves as home to the offices of the president of Mexico and the Federal Treasury, and is listed as the work address of many employees in the samples, although its not clear where the IT networks and other federal agencies are located.
The official website of the Mexican Government has officially been breached by RansomHub.
undefined Dominic Alvieri (@AlvieriD) November 15, 2024
/gob.mx pic.twitter.com/9zcBSwCBNg
Who is RansomHub?
RansomHub is a relatively new player in the ransomware ecosystem, having posted its first victim on February 26th, 2024.
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint advisory about the RansomHub gang on August 30th, triggered by its accelerated climb as one of the most active ransomware groups so far this year.
Threat intelligence researchers at Searchlight Cyber say RansomHub is now ”ranked third among the most prolific ransomware groups of H1 2024” and that the gang’s rapid rise suggests “possible connections to established players like BlackCat,” according to the firm's newly released ransomware report.
A new report from early November showed RansomHub claimed nearly a fifth of all ransomware victims in September 2024, including Kawasaki Motors Europe and the multi-center Planned Parenthood of Montana.
According to the CISA advisory, which provides a full list of known IOCs, including IP addresses, tools, known URLs, email addresses, and more, the cybercrooks are said to have breached at least 210 victims since February, almost at a rate of one victim per day.
RansomHub victims include various organizations, from critical infrastructure to private corporations in the US, including the oilfield servicing company Halliburton, allegedly breached by the gang in early August, as well as the US drug store chain Rite Aid in July.
Known for operating a ransomware-as-a-service (RaaS) model and using double extortion tactics, the group became a main player in the aftermath of the massive UnitedHealth's Change Healthcare breach carried out by the ALPHV/BlackCat ransomware gang.
RansomHub – thought to be one of the main affiliates connected to ALPHV/BlackCat at the time – claimed to have published a swath of files allegedly part of what was obtained during the Change Healthcare hack.
“Its representatives have been spotted recruiting affiliates on dark web forums, offering a fixed 10 percent fee and the option to collect ransom payments directly from victims before paying the core group.” SearchLight Cyber researchers said.
“Its “affiliate-friendly” model could also be seen as a direct response to BlackCat’s retirement,” the researchers noted.
The Russian-linked ALPHV/BlackCat perpetrated its "exit scam" back in March by “taking the entire [$22 million] ransom payment from Change Healthcare without properly compensating the [RansomHub] affiliate responsible for the attack,” researchers explained.
Additionally, the Searchlight Cyber white paper shows that “most of RansomHub’s victims are located in the United States,” further supporting this conclusion.
It's been shown that the group’s setup closely resembles that of a traditional Russian ransomware setup, with the gang avoiding targets in Russia, CIS countries, Cuba, North Korea, and China – typical of Kremlin-backed gangs.
RansomHub breach victims in the first half of 2024 include gaming laptop-maker Clevo, the high-profile Christie’s auction house, and Frontier, the 4th largest high-speed internet provider in the US covering 25 states.
Your email address will not be published. Required fields are markedmarked