According to local media, the attack happened on August 18 and has since impacted the agency’s functioning. A total of four physical and eight virtual servers were impacted by the attack, summing up virtually all servers the agency uses. Only one of the servers running on Linux remains unaffected. As of August 23, 23 computers were infected, and the network was still down.
Since the databases, applications and emails were all compromised among other things, all data has been compromised as confirmed by IAD’s director of technology Walixson Amaury Nuñez.
BleepingComputer reports that the Quantum ransomware gang is behind the attack. They claimed to have stolen over 1TB of data and threaten to release it if IAD did not pay the $650,000 ransom. Something that’s unlikely to happen considering the agency simply can’t afford to do so.
The National Cybersecurity Centre (CNCS) has been assisting the agency in recovery efforts and has reported that IP addresses belonging to the attackers from the US and Russia. The IAD also reported that they only had basic security software on their systems and don’t have a dedicated security department either.
As for the threat actors, Quantum is quickly becoming increasingly active, targeting enterprises with ransomware. The group is believed to be a branch of the Conti ransomware gang which itself took over from the Mountlocker group.
This rebranding reportedly happened in August 2021 as indicated by their ransomware encryptor adding a .quantum file extension to encrypted files. The group wasn’t particularly active at the time though, with activity spiking following the Conti ransomware group shutting down and its members looking for other groups to join.