Cyber Incident Victim: Dirección Nacional de Migraciones
Date:
Aug 2020
Location:
Argentina
Summary
A ransomware attack by the Netwalker group targeted Argentina's national immigration agency, disrupting border operations and temporarily suspending crossings for several hours. The incident impacted critical systems, including the Comprehensive Migration Capture System, causing delays as authorities restored servers after isolating networks to contain the infection. Attackers initially demanded $2 million, later doubling the ransom to $4 million in bitcoin, while threatening to leak stolen data. The agency confirmed it would not engage in negotiations with the threat actors despite operational interruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 27, 2020, Argentina’s Dirección Nacional de Migraciones experienced a ransomware attack that disrupted national border operations. The incident was first detected around 7:00 AM when the agency’s Directorate of Technology and Communications received multiple technical support calls from border checkpoints reporting system issues. Investigation revealed a virus had encrypted Microsoft Windows-based files and Microsoft Office documents across user workstations and shared network folders. The attack was attributed to the Netwalker ransomware operation. To contain the infection, the agency proactively shut down its networks, which resulted in the temporary suspension of border crossings. The outage lasted approximately four hours, with the Comprehensive Migration Capture System (SICaM)—a critical platform for processing border transactions—experiencing significant disruption. This led to operational delays at checkpoints, though the government did not specify the total number of affected locations or systems beyond confirming Windows and Office file impacts.
The attackers initially demanded a $2 million ransom, threatening to leak stolen data and providing decryption instructions through ransom notes. After seven days, the demand increased to $4 million, equivalent to 355 bitcoins at the time. Netwalker operators provided screenshots of allegedly exfiltrated data as proof, though the specific nature or volume of compromised information was not disclosed publicly. Argentine authorities, including the nation’s cybercrime unit, filed a criminal complaint documenting the attack timeline and technical observations. Government representatives explicitly stated they would not negotiate with or pay the attackers. While border operations resumed within hours following network containment and restoration efforts, the incident marked a rare case of ransomware disrupting federal government functions at a national level. No further technical details about recovery methods or long-term operational consequences were disclosed in available reports.