Claro Hacked - Demands a Ransom of 10 Million Dollars

Claro (part of América Móvil), the largest telecommunications provider in Latin America, has disclosed that it suffered a ransomware attack that disrupted services across Central and South America. The company stated that the attack damaged key network infrastructure and led to connectivity issues, failed video calls, and payment processing failures.

According to a ransom note obtained by analysts, Claro was hit by the Trigona ransomware gang, a group that emerged in late 2022. 

Claro customers first began reporting widespread service issues on January 25th, 2024. However, it was not until February 2nd that Claro Nicaragua issued an announcement attributing problems to a ransomware attack.

Claro disclosed via social media and its website that on January 25th, it was hit by a ransomware attack that impacted multiple subsidiaries, including Claro Guatemala, Claro Honduras, Claro El Salvador, Claro Costa Rica, and Claro Nicaragua, highlighting the extensive reach of the incident across the region.

Claro Company's note regarding the ransomware attack

According to Claro’s statement, the company suffered from a ransomware attack that inflicted damage to some of its network elements. Over two weeks after the incident began, many Claro subscribers continued experiencing connectivity problems, failed calls, and issues processing payments.

The ransom note left in Claro’s network by Trigona ransomware

The ransom note that analysts managed to get from the company, indicates that Trigona successfully compromised and encrypted or deleted data and systems critical to managing Claro's sprawling telecommunications infrastructure. 

Image by @H4ckManac

Today, the Trigona ransomware group have added América Móvil (Claro) to the data leak site, which demands a ransom of 10 million dollars to be paid by February 24th.

Claro has not indicated whether it paid Trigona’s ransom demand or if customer data was exfiltrated. Regardless, experts state that telecoms and critical infrastructure providers must prioritize modernizing security to deter ransomware groups who recognize that hacking networks like Claro’s offer access to sensitive data and the means to threaten entire nations.

Trigona first appeared in October 2022 and in several months has earned a reputation for ruthlessness. The group practices double extortion, stealing sensitive data from victims while also encrypting files to pressure them into paying ransoms. Recently, Trigona has also targeted victims with distributed denial of service (DDoS) attacks if ransoms are not promptly paid.

In October 2023, Trigona was hacked by a Ukrainian white hat group called the Ukrainian Cyber Alliance (UCA). UCA claimed to wipe all of Trigona's infrastructure and exfiltrate hacking tools, demanding that Trigona cease operations. However, Trigona soon returned to business as usual.

Telecom Emerges as Prime Target

The Trigona attack on Claro caps off a trend of telecommunication firms increasingly becoming high-value targets for ransomware groups like Vice Society, LockBit, and others. Industry experts cite telecoms' vast troves of personal data, mission-critical infrastructure, and deep interconnectivity as reasons why hackers covet access.

For example, in January 2024 Ukraine's largest mobile provider Kyivstar was hit by ransomware, eventually leading to connectivity issues and service disruptions. Analysts assess that as connectivity becomes increasingly crucial to business and government operations worldwide, disrupting telecom grids offers unmatched leverage for extorting ransoms.

As Trigona’s operations against Claro demonstrate, even after suffering major setbacks like the UCA hack, most ransomware gangs remain undeterred and quickly reorganize to hunt their next prolific score.