Lotenal (National Lottery of Mexico) Data Breach (2021)

A group of hackers that claims to have infiltrated the computer servers of the National Lottery (Lotenal) has threatened to reveal confidential information if the agency refuses to cooperate with it. A criminal group claims to have accessed Lotenal’s servers last Thursday using Avaddon ransomware, malicious software (also known as malware) that has been used in numerous cyberattacks in several countries. The group demanded the payment of a ransom within 10 days in exchange for not leaking information it stole. The amount it is asking for is unknown. “… We have data such as all contracts and agreements from 2009 to 2021, legal documents, correspondence, finance, notarial data, outsourcing, and much more,” the group said in a statement published online. “Also remember that data cannot be decrypted without our general decryptor. And your site will be attacked by a DDoS [distributed denial of service] attack,” it said. Lotenal has neither confirmed nor denied that it was the victim of a cyberattack. It said on Friday that it was updating its systems and that this was causing some interruptions to its online services. On Saturday, the criminal group published another statement. “Apparently the [agency] does not quite understand the seriousness of this situation and wants to hide the fact that they were hacked and we stole data from their servers,” it said. “… What if we say that we have a lot of confidential data (see photo below), such as sexual harassment in the workplace, unpleasant incidents and a lot of dirt associated with your [agency]? If you continue to lie to everyone and do not contact us on this fact, then we, in turn, are ready to surprise all who follow the news related to our blow to your companies with very interesting documents that we have.” The group published an image of a redacted federal government document about a case in which a Lotenal cleaner was a victim of sexual harassment. According to Hiram Caramillo, co-founder and director of information security at the cybersecurity consulting firm Seekurity, groups that use ransomware such as Avaddon are “criminals that earn millions of dollars” through extortion. He said that Lotenal should be working to ensure that Avaddon ransomware is no longer being used to infiltrate its systems. Caramillo also said the lottery agency must identify what information has been stolen. “It’s not the first time that a company that has been hacked denies the attack,” he said, referring to Lotenal’s decision not to publicly acknowledge the cyberattack. Nor is it the first time that ransomware groups respond to companies that refuse to cooperate, he said. “The same situation has already happened several times,” Caramillo said. According to the United States Federal Bureau of Investigation (FBI), Avaddon ransomware was first advertised on Russian-language hacking forums as a ransomware-as-a-service, or RaaS, product. Raas refers to the sale of malware to would-be hackers via a subscription model. Hackers that do not have the skills to write and deliver their own ransomware code to victims can do so by buying Raas products on the dark web. The ransomware developers typically get a cut of the victim’s payment. According to the cybersecurity research company Group-IB, almost two-thirds of ransomware attacks worldwide that it analyzed during 2020 came from cybercriminals operating on a RaaS model.