Recently, local media in Paraguay reported that Tigo, the largest mobile carrier in Paraguay, with its Tigo Business division offering digital solutions to the enterprise.
The list of provided services includes cybersecurity consulting, cloud and data center hosting, and wide area network (WAN) solutions, suffered a cyberattack directly impacting cloud and hosting services in the company's business division.
It appears that those services were knocked out as far back as January 4, 2024. It was only over the following weekend that the company released a statement stating,
On January 4, we were victims of a security incident in our Tigo Business Paraguay infrastructure as a service, which has affected the normal supply of some specific services to a limited group of clients in the corporate segment (companies).
The company went on to state that certain elements of the article published by local media were incorrect. Namely, the internet, telephone services, and Tigo Money electronic wallets were unaffected by the attack. While the statement asserted that media reports were erroneous, they did not provide any information about the attack.
Following the company issuing their statement, more reports emerged on social media. Some claimed over 330 servers were encrypted, and backups were compromised, which is a clear indication of a ransomware attack. This was followed by reports saying those behind the Black Hunt ransomware were responsible for the attack.
On January 7, 2024, Paraguay's General Directorate of Information and Communication Technologies of the Armed Forces of Paraguay (FFAA) alerted businesses and individuals about Black Hunt ransomware attacks.
The statement said,
The DSIRT-MIL of the DIGETIC/FFAA, issues an official alert in relation to the recent cybersecurity incident that has significantly impacted one of the main internet service providers in the country and that has had a direct impact on more than 300 companies associated with said operator, compromising backups, web pages, emails and their cloud storage…The incident that occurred, according to reports from cybersecurity specialists, is a ransomware infection linked to a group of cybercriminals called Black Hunt.
This statement was shortly deleted after publication and raises questions about the cybercrime reporting protocols currently in place in Paraguay.
Further questions need to be answered as to whether Black Hunt was involved or not. One thing we do know for sure is that Black Hunt is a threat to businesses.
Black Hunt Operations
Following reports published on X, formerly Twitter, it would seem that Black Hunt operations launched towards the end of 2022. Those behind the ransomware have managed to keep many of its operations away from the prying eyes of security researchers, as when compared with other ransomware gangs, there is relatively little known about the gang in the public sphere.
On January 6, 2024, Fortinet discovered a ransomware sample doing the rounds. The security firm noted that the threat actors behind the ransomware's deployment were gaining access to victims' networks through vulnerable Remote Desktop Protocol (RDP) configurations.
Further, the firm stated,
Files encrypted by BlackHunt ransomware can be identified with the following filename pattern: [unique ID assigned to each compromised machine].[contact email address].Black. The ransomware also deletes shadow copies, which makes file recovery difficult. The ransomware also drops two ransom notes: one is titled “#BlackHunt_ReadMe.hta” and the other is “#BlackHunt_ReadMe.txt”...Although both ransom notes belong to BlackHunt ransomware, the notes not only include different contact email addresses but the different IDs assigned to each victim as well. The ransom note in HTA format also has a link to a TOR site, which was no longer accessible at the time of the investigation.
Bleeping Computer's analysis of the ransomware noted that when the encryptor is launched, they will perform the following commands to clear Windows event logs, delete Shadow Volume Copies and NTFS journals, and disable Windows recovery options.
Further, Black Hunt will perform a large number of changes to Windows, including disabling Microsoft Defender, adding new users, disabling System Restore, and disabling Task Manager and the Run command. These are now typical operations for most current ransomware strains.
Based on what is known, the threat actors appear to focus on keeping operational security high; this makes malware analysis somewhat more difficult for security researchers. The emergence of Black Hunt 2.0 further supports this assumption.
Reports dating back to July 2023 showed that a new variant of Black Hunt was on the loose, and modifications to its encryption ability were made to make it more effective. Files encrypted with the new version had "Hunt2.0" appended to the filename, making identification easier for victims.
Black Hunt 2.0 was also to adopt the double extortion method, as victims had sensitive data stolen before encryption. Threats were then made to release the information to the public, or highest bidder if the ransom was not paid at a specific time, 14 days, according to the pop-up notification displayed after encryption.