Argentina's Judiciary of Córdoba hit by PLAY ransomware attack

Argentina's Judiciary of Córdoba has shut down its IT systems after suffering a ransomware attack, reportedly at the hands of the new 'Play' ransomware operation.

The attack occurred Saturday, August 13th, causing the Judiciary to shut down IT systems and their online portal. The outage is also forcing the use of pen and paper for submitting official documents.

In a 'Cyberattack Contingency Plan' shared by Cadena 3, the Judiciary confirmed that it was hit by ransomware and engaged with Microsoft, Cisco, Trend Micro, and local specialists to investigate the attack.

"The cyberattack suffered by the technological infrastructure of the Court of Córdoba on Saturday, August 13th, 2022, for a ransomware that has compromised the availability of its IT services," reads a Google translation section of the plan.

Clarín reports that sources said the attack affected the Judiciary's IT systems and its databases, making it the "worst attack on public institutions in history."

Attack linked to Play ransomware

While the Judiciary has not disclosed details of the attack, journalist Luis Ernest Zegarra tweeted that they were hit by ransomware that appends the ".Play" extension to encrypted files.

This extension is associated with the new 'Play' ransomware operation that launched in June 2022, when victims began describing their attacks in the BleepingComputer forums.

Like all ransomware operations, the threat actors will compromise a network and encrypt devices. When encrypting files, the ransomware will append the .PLAY extension as shown below.

However, unlike most ransomware operations that leave lengthy ransom notes to issue dire threats to their victims, the Play ransom notes are unusually simple.

Instead of ransom notes being created in every folder, Play's ReadMe.txt ransom note is only made at the root of a hard drive (C:\) and simply contains the word 'PLAY' and a contact email address.

In a conversation with security researcher Mauro Eldritch, BleepingComputer was told of different emails used in attacks, so the email address above may not be associated with the attack on the Judiciary of Córdoba.

It is unknown how Play breached the Judiciary's network, but a list of employee email addresses was leaked as part of the Lapsus$ breach of Globant in March, which may have allowed threat actors to conduct a phishing attack to steal credentials.

#LAPSUS$' latest data leak from Globant contains sensitive data belonging to Poder Judicial de la Provincia de Cordoba, Argentina...
----@JusticiaCba_ARG @ferbeltran9 https://t.co/eSB8ZJH0iM

— BetterCyber (@_bettercyber_) March 30, 2022

There is no data leak associated with the ransomware gang or any indication that data is stolen during attacks. 

This is not the first time a government agency in Argentina suffered a ransomware attack. In September 2020, the Netwalker ransomware gang attacked the Dirección Nacional de Migraciones and demanded a $4 million ransom.