Claro Company, the largest telecom operator in Central and South America, disclosed being hit by ransomware. Representatives shared this information in response to the service disruptions in several regions. From the ransom note it becomes clear that the attackers are Trigona ransomware.
Claro Telecom Hacked, Services Disrupted
Since January 25, 2024 Claro Telecom customers have suffered from significant network issues. But only on February 2, they published the first notification regarding the situation, from the name of their Claro Nicaragua subsidiary. Despite the note being published by the Nicaraguan branch, the issues were also reported in other Latin American countries, namely El Salvador, Costa Rica, Guatemala and Honduras.
Original Claro Company's note regarding ransomware attack
English translation of a Claro Company's note regarding ransomware attackAs the note explains, the company suffered from a ransomware attack that inflicted damage to some of its network elements. The same release shares the company’s hopes on the soon restoration of all the services. Among typical issues that are still not completely resolved, are problems with Internet connectivity, video calls and payments processing.
By the ransom note that analysts managed to get from the company, it becomes clear that Claro was attacked by Trigona ransomware. The double-extortion group likely managed to get into some of the system and exfiltrate the files. And while file encryption is recoverable, data exfiltration is extremely dangerous considering the amount of user data stored on telecom provider servers.
What is Trigona ransomware?
Trigona is a ransomware group that started its activity in October 2022. Despite being relatively new to the cybercrime scene, they already gained both fame and complexity, boasting a Linux version of their main payload. Malware analysts name this group the successor of CryLock ransomware, and point at its possible association with ALPHV/BlackCat ransomware.
This ransomware gang is known for practicing double-extortion, meaning that aside from file encryption, they also leak significant amounts of data from the attacked environment. Further, attackers ask to pay a separate ransom to prevent this data from being published or sold to the third party.
Back in October 2023, Trigona was hacked by Ukrainian Cyber Alliance, the white hat hacker organization. UCA managed to wipe the entirety of server infrastructure, along with the backups. White hats reportedly managed to get their hands on all the tools in ransomware group’s collection, so there is a possibility of a ransomware decryptor being released in future. Nonetheless, this hack did not stop the frauds from getting back in business.
Is Hacking Telecom Corporation a New Trend?
Attack on Claro Company is yet another episode of a telecom company being struck by ransomware – a rather unusual sight in years prior to 2024. Yes, there were known cases of T-Mobile US hacks that led to extensive data breaches, but none of them ended up with severe network disruptions. But 2024 exploded with attacks on telecommunication companies, starting with Ukrainian Kyivstar. All such breaches led to significant connectivity issues and even complete outages of all the services provided by the target company.
Considering the amount of personal data that typically circulates in telecom organizations, the advanced multi-layer security measures are the must. Security tools should be accompanied by network architecture that makes it harder to hack the entire network all at once and data protection. The latter is especially important, since the aforementioned double extortion tactic is more of a tradition than a novelty nowadays.
Hey Stephanie. Great article, thanks for covering this! Were you aware by any chance that there’s at least one more Telcom giagant being attacked in LA currently? Check out the situation on Venezuela’s digitel!