Dunghill Ransomware Attack on Nuevatel: 10 TB Data Leak, Swift Response

Incident Date:

July 15, 2024

World map

Overview

Title

Dunghill Ransomware Attack on Nuevatel: 10 TB Data Leak, Swift Response

Victim

Nuevatel

Attacker

Dunghill

Location

Santa Cruz de la Sierra, Bolivia

, Bolivia

First Reported

July 15, 2024

Ransomware Attack on Nuevatel by Dunghill

Overview of Nuevatel

Nuevatel PCS de Bolivia S.A., operating under the brand name VIVA, is a leading telecommunications company in Bolivia. Founded in 1999, VIVA has been a pioneer in providing mobile communication services, including 2G-GSM, 3G-GSM (HSPA+ Dual Carrier), LTE TDD, public telephony, national and international long distance, data transmission, mobile Internet, LTE FDD, and WiMax. The company employs around 1,243 people and serves approximately 2.5 million subscribers. Recently acquired by Balesia Technologies, VIVA is focused on expanding and modernizing its network to enhance customer experience.

Details of the Ransomware Attack

On Sunday, June 23, Nuevatel fell victim to a ransomware attack orchestrated by the cybercriminal group known as Dunghill. The attackers reportedly exfiltrated 10 TB of sensitive data, including project files, personal identification information, confidential documents, databases, client data, financial records, accounting details, HR information, operational data, corporate information, marketing materials, development strategies, business agreements, and IT infrastructure. Despite the severity of the attack, Nuevatel's technical team, cybersecurity experts, and collaborators swiftly contained and mitigated the impact, ensuring that client services remained unaffected or were quickly restored.

About Dunghill Ransomware Group

Dunghill Leak, operated by the "Dark Angels Team," emerged in 2023 and has claimed responsibility for several high-profile attacks, including those on Sysco Corporation, Sabre Corporation, and Johnson Controls International. The group employs double extortion tactics, stealing sensitive data before encrypting systems and threatening to release the information if a ransom is not paid. Initially leveraging the stolen Babuk ransomware source code, Dunghill has also used a tailored version of the Ragnar Locker ransomware and claims to have developed their own custom encryptor.

Potential Vulnerabilities and Penetration Methods

While the exact method of penetration remains unclear, ransomware groups like Dunghill often exploit vulnerabilities in outdated software, weak passwords, and unpatched systems. Given VIVA's extensive range of services and large customer base, the company presents a lucrative target for cybercriminals seeking to maximize their ransom demands. The swift response by Nuevatel's team highlights the importance of having a robust incident response plan in place to mitigate the impact of such attacks.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.