The traveler insurer Universal Assistance was hacked by cybercriminals who posted 54 GB of information, among which there are personal data of thousands of clients.
It is a ransomware, a type of computer virus that hijacks information and asks for a ransom in exchange for not filtering stolen files, including files that refer to passport and credit card data.
Universal Assistance was infected with a strain called “RansomExx” which was the same that last year managed to leak private files of the Brazilian company Embraer, the third largest aircraft manufacturer in the world.
According to the cybercriminals’ website, the information was extracted on Thursday of last week. Different specialized sites began to notice it:
In fact, the data appeared in darktracer.com, a site that updates every day The information is available in a deep web link that can be accessed with browsers such as Tor:
The RansomExx site, where you see the hijacking of information.
The list of leaked files is very long
DarkTracer added Universal Assistance to its public attack list (which can be accessed here).
Clarion contacted Universal Assistance, which undertook to issue a statement this same tuesday. At the time of this publication, there is still no official explanation.
Among the files are jpgs indicating that they are photos of passports and specific cases of declined credit card payments.
In total, as can be seen in a file called “tree”, There are close to 1268 files in .docx, 8586 .xlsx, 29776 .pdf and 1843 .zip formats.
Bugledid not access the personal information of users, but a .txt It contains a list of files and folders actually hijacked.
In that list you will find information about file names that denote sensitive data:
“Tree.exe”: the text file containing the names of the files stolen from Universal Assistance
PNGs, PDFs and JPGs
Personal information of users
What is RansomExx, the virus that stole information from Embraer
Embraer, a Brazilian aircraft manufacturer, was hacked last year. Reuters photo
“RansomExx is a ‘rebrand’ from Defray777 [otro virus] that is typically installed on Windows and Linux, which means that attacks can be specifically disruptive and imply that information retrieval takes longer and is more problematic, “he explained to Clarion Brett Callow, an analyst at computer security company Emsisoft.
A ransomware is a type of virus whose name is an acronym for “data rescue program”: ransom in English means rescue, and ware is a shortening of the well-known word software: a data hijacking program. Ransomware is a subtype of malware, an acronym for “malicious software.”
This type of virus works by restricting access to parts of our personal information, or all of it. And generally, cybercriminals exploit this to ask for something in return: money.
While some simple ransomware can crash the system in a simple way, the more advanced ones use a technique called “cryptoviral” extortion, in which the victim’s files are encrypted, making them become completely inaccessible.
But regardless of whether the information is encrypted or not, the cybercriminals’ way of proceeding is under extortion: they threaten to spread the stolen information so that competitors can take advantage of it, or to expose personal data of users and thus harm not only individuals but also companies that were supposed to have custody of that information.
RansomExx began to gain relevance in mid-2020, according to malpedia, a site that collects cyber threats.
RansomExx on Malpedia. Photo Malpedia
In turn, it is a variant of Defray, another ransomware that appeared for the first time in 2017 and that was disseminated via Word documents by email with baits specifically designed for each user: personal data or recognizable information that generated confusion in invites to click. .
Some of the RansomExx victims during 2020 were Embraer, Minolta, and the Montreal public transportation system.
The aircraft manufacturer’s case was very resonantCybercriminals managed to steal information from the company’s servers, including personal information of employees, company contacts, photos of flight simulations and even source code.
During 2020 one of the most significant attacks affected the national migration system in Argentina.
In September last year, a cyberattack that used the NetWalker ransomware strain hijacked information from the National Directorate of Migration (DNM) and asked in return for about 76 million dollars to extort money from the Government, which only recognized a request for a reward of 4 million dollars, which he refused to pay.
The data that was published contained information on the Federal Intelligence Agency (AFI), consulates, embassies and reports of migratory flows.
NetWalker raised more than $ 25 million in extortion until last year.
Javier Smaldone, Argentine IT security specialist: “The problem is that Argentine lawUnlike, for example, the European one, it does not oblige anyone who is in custody of third-party personal data to notify them (or report them) when they are leaked. Therefore, most often when these things happen, companies keep it for them. Precisely for this reason, when finding them in a public list of ransomware victims, I decided to spread it on social networks”, He explained.
“In summary: if my data is leaked because a company that provides a service was attacked, I would like to find out. My personal data is mine. I give them to a company so that it can provide me with a service. But they are still mine the company is obliged to properly guard them, and if they leak at the hands of a third party, I should be able to find out, “he explained.
Universal Assistance did not respond to a request for comment from Clarion.