Cyber Incident Victim: Lotería Nacional
Date:
May 2021
Location:
Mexico
Summary
A ransomware group compromised a Mexican national lottery organization, stealing data and encrypting systems while threatening distributed denial-of-service attacks and further data leaks unless negotiations commenced. The attackers leaked purported documents from the victim and prompted defensive measures restricting website access exclusively to Mexican IP addresses, effectively walling off external traffic to mitigate potential disruption. This incident involved both data exfiltration and operational disruption threats, with the victim implementing geographic blocking as an unconventional countermeasure against the announced attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 27, 2021, the Avaddon ransomware operation publicly claimed responsibility for an attack on 'Pronosticos Deportivo,' a sports betting program operated by Mexico's national lottery system. The group asserted it had successfully exfiltrated data and encrypted devices during the intrusion. As evidence, Avaddon leaked screenshots displaying documents bearing the letterhead of Lotería Nacional and its subsidiary Pronósticos. The ransomware gang issued an ultimatum demanding negotiations commence within 240 hours (approximately 10 days), threatening to escalate by releasing additional stolen documents and launching distributed denial-of-service (DDoS) attacks against the victim's websites if their demands went unmet. Lotería Nacional functions as Mexico's government-operated lottery under the jurisdiction of the Ministry of Finance, while Pronósticos facilitates betting on games of chance and sporting events.
In response to the threat, Mexican authorities implemented geographic IP blocking on the official websites of Lotería Nacional (lotenal.gob.mx) and Pronósticos (pronosticos.gob.mx) by May 28, 2021. This measure restricted access exclusively to IP addresses originating within Mexico, causing connection attempts from foreign locations to time out. Cybersecurity firm Seekurity, through its Director of Information Hiram Alejandro, assisted BleepingComputer in verifying the restriction by confirming site accessibility via a Mexico-based VPN. The action represented an unconventional defensive strategy against potential DDoS attacks, marking a documented instance of a national government employing IP geoblocking for this purpose. BleepingComputer attempted to contact Mexican government communications channels but received no official response regarding the incident or mitigation measures at the time of reporting. The incident exposed operational disruptions, potential data compromise risks from the leaked documents, and defensive adaptations by a critical government-affiliated gaming entity.