The Judiciary of Córdoba in Argentina has temporarily shut down its IT systems after experiencing an attack from the PLAY ransomware group. The attack happened last week, resulting in the sector’s decision to take down its IT systems and online portals. The decision also forced its staff to use a manual transaction for submitting official documents.
Additionally, Córdoba confirmed that they were struck by ransomware and engaged with several cybersecurity specialists to research and investigate the illegal operation. A researcher then reported that the source of the attack impacted the court’s databases, making it one of the worst cyberattacks on a public institution in history.
The researchers claimed that the PLAY ransomware most likely operates the ransomware attack.
Although the Argentinian court did not reveal any details regarding the attack, many researchers claimed that the PLAY ransomware executed it. The researchers’ allegation was ignited after a journalist posted on Twitter that the encrypted file from the Judiciary has a [.]Play extension.
The extension is heavily affiliated with the new Play ransomware operation launched last June. PLAY ransomware’s process follows a typical attack, which attacks the network and encrypts devices. After encryption, the ransomware will attach the [.]PLAY extension.
However, the unique thing that separates this operation from other groups is that it leaves a lengthy ransom note to issue threats to its victims. In addition, the ransom notes are not added to the same folder as some standard operations; instead, PLAY operators attach a ReadMe[.]txt ransom note only at the root of a hard drive and includes the word “PLAY” and a contact email address.
As of now, it is still a mystery how the ransomware group infiltrated Córdoba, but a list of personnel email addresses was leaked by the Lapsus$ group last March, which may have enabled the threat actors to execute a phishing attack to steal credentials.
Unfortunately, the is not a single piece of evidence that will connect the PLAY ransomware group to another previous attack, which means that the infiltration against Córdoba is an independent attack from the group.