The Córdoba Judiciary in Argentina has shut down its IT systems following a ransomware attack, which was allegedly carried out by the new ‘Play’ ransomware operation.

The incident took place on Saturday, August 13th, and forced the Judiciary to shut down its internet site and IT infrastructure. Additionally, the downtime makes it necessary to file formal documents using pen and paper.

The Judiciary acknowledged that it had been infected by ransomware and collaborated with Microsoft, Cisco, Trend Micro, and local experts to investigate the incident, according to a “Cyberattack Contingency Plan” provided by Cadena 3.

According to a Google translation of the proposal, “the cyberattack suffered by the Court of Cordoba’s electronic infrastructure on Saturday, August 13th, 2022 for a ransomware that has endangered the availability of its IT services.” According to authorities cited by Clarn, the attack was the “worst on public institutions in history” since it had an impact on the judiciary’s databases and IT systems.

Córdoba website is suffering an outage
Justicia Córdoba’s website is suffering an outage (Source: BleepingComputer)

Attack linked to Play ransomware

Journalist Luis Ernest Zegarra tweeted that the Judiciary was targeted by ransomware that adds the “.Play” extension to locked files, despite the Judiciary withholding specifics of the incident.

When victims started posting accounts of their infections in the BleepingComputer forums in June 2022, the new ‘Play’ ransomware operation officially began. This extension is connected to it.

Threat actors will break into a network and encrypt devices, as is the case with all ransomware operations. The ransomware will add the.PLAY extension to encrypted files as illustrated below.

Play ransomware
Files encrypted by the Play ransomware (Source: BleepingComputer)

The Play ransom messages are exceptionally short and straightforward, in contrast to most ransomware operations that leave long ransom notes to deliver grave warnings to their victims.

Play’s ReadMe.txt ransom notes, which just contain the word “PLAY” and a contact email address, are written at the root of a hard drive (C:). They are not created in any other folders.

The email address mentioned above might not be connected to the attack on the judiciary in Cordoba because BleepingComputer is aware of other email addresses that have been used in attacks.

It is uncertain how Play gained access to the Judiciary’s network, but the Lapsus$ breach of Globant in March resulted in the exposure of a list of employee email addresses, which would have given threat actors the opportunity to launch a phishing assault and obtain login information.

There is no proof that the ransomware group has leaked any data or that any data has been taken during an attack.

This is not the first ransomware attack on an Argentine government organization. The Dirección Nacional de Migraciones was hacked by the Netwalker ransomware gang in September 2020, and they wanted a $4 million ransom.