Cyber Incident Victim: Telecom Com
Date:
Jul 2020
Location:
Argentina
Summary
A ransomware attack by the REvil gang targeted a major Argentinian ISP, encrypting over 18,000 workstations and causing significant internal network damage while leaving customer services operational but disrupting corporate websites. The attackers compromised a Domain Admin account to deploy ransomware, demanded $7.5 million in Monero with a deadline to double the amount, and were suspected to have entered via a malicious email attachment, contrary to their typical exploitation of unpatched network equipment; the organization detected the intrusion early, issued internal warnings to limit network access, and the group had previously attacked another telecommunications provider.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The ransomware attack on Telecom Argentina occurred on Saturday, July 18, 2020, when threat actors compromised an internal Domain Admin account, enabling widespread deployment of ransomware across the company's network. The REvil (Sodinokibi) gang encrypted files on over 18,000 corporate workstations, causing significant operational disruption to internal systems and corporate websites, though customer-facing internet, telephony, and cable TV services remained operational. Attackers established a dark web portal demanding 109,345.35 Monero coins (approximately $7.53 million) for decryption keys, with the threat of doubling the ransom after 72 hours. Telecom Argentina's security team detected the intrusion promptly and issued internal alerts instructing employees to avoid connecting to the corporate VPN, limit network interactions, and refrain from opening email attachments containing archive files.
The incident represented one of Argentina's largest cyberattacks, with company employees publicly sharing crisis management details via social media. Initial reports suggested a malicious email attachment as the entry vector, though this conflicted with REvil's established pattern of exploiting vulnerabilities in unpatched network equipment like Pulse Secure and Citrix VPN systems. Security firm Advanced Intel noted REvil's specialization in network-based intrusions preceding lateral movement, while unverified claims implicated specific malware samples uploaded to VirusTotal. The attackers did not list Telecom Argentina on their data leak portal at the time of reporting, avoiding immediate publication of stolen data. This marked REvil's second major ISP attack following their May 2020 compromise of Sri Lanka Telecom, demonstrating a pattern of targeting telecommunications infrastructure providers. The company maintained public service continuity while grappling with extensive internal system damage and website outages persisting through the incident disclosure period.