Cyber Incident Victim: Cooperativa de Ahorro y Crédito Ahorrocoop Ltda

On or around May 10, 2023, the ransomware group Medusa added Cooperativa de Ahorro y Crédito Ahorrocoop Ltda, a Chilean savings and credit cooperative, to its data leak blog site. The cooperative, which operates seven branches and serves more than 65,000 members nationwide, was listed as a victim of a cyberattack. As proof of their claim, Medusa provided what appeared to be internal documents from the cooperative. This public listing on a dedicated ransomware leak site indicated that the threat actors had successfully exfiltrated data from the organization's network prior to deploying ransomware, a common tactic to pressure victims into paying a ransom by threatening to release sensitive information. There was no public statement or notice regarding a security incident found on the cooperative’s official website at the time of the listing.

Following the discovery of the cooperative’s name on the Medusa leak site, an inquiry was sent via email to an executive of the company on May 10, 2023, requesting details about the nature and scope of the incident. A follow-up email was sent on May 15, 2023, after no response was received. The cooperative did not reply to either email inquiry. Consequently, no details were provided by the organization regarding the attack vector, the specific systems compromised, the exact date of the initial breach, or whether a ransom demand was issued. The public evidence consisted solely of the listing on the Medusa blog and the sample documents posted there as proof.

The available evidence did not specify whether the incident involved the encryption of the cooperative's computer systems or was solely a data extortion event following data exfiltration. The impact of the incident was inferred from the nature of the organization and the actions of the threat actor. As a financial cooperative handling the personal and financial data of its members, the potential exposure of internal documents posed a significant risk of data breach. The compromised information could include member personal identifiable information, financial records, or internal operational documents. The lack of a public statement from Ahorrocoop left its members and the public without official confirmation of what data, if any, was accessed or stolen, or whether the incident affected the cooperative's ability to conduct business operations.

The cooperative's public response, or lack thereof, constituted a non-response to public inquiries. There was no acknowledgment of the incident on its corporate website or social media channels. The organization did not provide any information regarding its detection of the incident, any immediate containment actions taken, or whether law enforcement or incident response firms were engaged. The only external action documented was the threat actor’s publication on its leak site. The timeline of the attack remained unclear, as the initial compromise and the duration of the threat actors' presence within the network before the public leak were not disclosed by the organization.

The incident involving Cooperativa de Ahorro y Crédito Ahorrocoop Ltda was part of a broader pattern of activity by the Medusa ransomware group during this period. Just days prior, on May 6, 2023, Medusa had leaked a large quantity of data stolen from the Chilean IT services firm SONDA. That leak, comprising 327 parts each 3.8 GB in size, was executed via the group's Telegram channel. An inspection of some of the SONDA files confirmed they contained the personal data of employees and suppliers, including identification documents, resumes, and contracts. The attack on Ahorrocoop demonstrated the group's continued focus on targets in Chile and specifically within the financial sector. The public listing of Ahorrocoop on the Medusa blog site created a tangible risk that the cooperative's internal data would be released publicly, potentially exposing sensitive member information. The ultimate consequence for the organization's members depended on the content of the exfiltrated documents and whether the data was subsequently released in full by the threat actors. The long-term operational, financial, and reputational impacts on the cooperative were not publicly detailed by the organization itself following the attack.