Cyber Incident Victim: Apro Ltda

On or around April 9, 2023, the Chilean company Apro Ltda, a seller of personal protection and industrial safety items with stores throughout Chile, suffered a cyberattack. The LockBit ransomware operation claimed responsibility for this incident. The group publicly added apro.cl to its data leak site on April 13. The listing on the site did not initially include any samples of the stolen data or a file tree showing the contents of the exfiltrated information. LockBit set a price for interaction with the stolen data, offering to delay the publication of the information for 24 hours for a payment of $1,000. The threat actors also set a price of $199,999 for the complete deletion of all data or for a download of the entire dataset. As of the date of the last available report, LockBit had not yet proceeded to leak any of the data allegedly stolen from Apro.

The company's public response to the security incident was not evident. No notice concerning a cyberattack or service interruption was found on Apro's official website or its social media accounts. In an effort to determine the details of the event, external inquiries were sent to the company via email on April 13 and again on April 15. These inquiries sought to ascertain when the attack had occurred and whether the company had engaged in any form of negotiation with the LockBit group. Apro Ltda did not provide any response to these repeated requests for information. Consequently, the precise date of the initial compromise, the duration of the attackers' presence within the network, the specific systems encrypted, and the exact scope of data exfiltrated remain unconfirmed by the victim organization.

The attack on Apro was part of a broader pattern of ransomware activity during this period, as detailed in the same reporting that covered its incident. Other notable attacks included the BlackByte ransomware group's attack on the Chilean cement company Cementos Bio-Bio S.A., which was added to BlackByte's leak site on April 9. In that case, the threat actors confirmed to investigators that they had used encryption in the attack and had exfiltrated approximately 200GB of files. They also stated that the victim company had not responded to them or attempted to negotiate. Similarly, the LockBit group claimed an attack on the Peruvian automotive group Euromotors, adding it to their leak site on April 10 and later leaking a sample of data containing sensitive employee information. Another incident involved the BlackCat ransomware group claiming an attack on the Yucatan government, posting samples of stolen electoral documents. The National Water Commission (Conagua) in Mexico was also reportedly attacked by the BlackByte group, with reports indicating a significant impact encrypting files from the last fifteen years, though it never appeared on the official leak site.

The impact of the incident on Apro's operations is not detailed in the available information. There is no public record of system downtime, service interruptions, or operational disruptions caused by the encryption of systems. The primary impact articulated in the report is the threat of public data exposure, contingent on the company's decision to meet the threat actors' financial demands or not. The types of data potentially involved were not specified by LockBit in their initial listing, as no samples or file tree were provided. Therefore, the risk to customers, employees, or business partners could not be assessed based on the available evidence. The financial demands posed a direct extortion threat, with the higher sum representing a significant potential cost for data destruction.

The containment and remediation actions taken by Apro Ltda are not described in the source material. The lack of a public statement from the company means its internal incident response processes, any efforts to isolate affected systems, attempts to restore from backups, or engagements with third-party cybersecurity experts are unknown. The external communications strategy appeared to be one of non-engagement, as the company did not reply to inquiries from journalists. This approach may also have extended to the threat actors, as the report does not contain any information from LockBit suggesting that negotiations had occurred. The final outcome of the incident, specifically whether the data was eventually leaked or the ransom was paid, is not confirmed in the provided articles. The situation remained unresolved at the time of reporting, with the data not yet published but still under threat.