The government of Balkans-based nation Montenegro has been attacked by a ransomware gang, who have requested a $10 million payment. The attack was launched against the government’s critical infrastructure and has led to damage and disruptions.

National governments and local authorities alike are prime targets for ransomware operators. Responsible for the smooth operation of vital services supplied to their residents, when a government’s systems are impacted by an attack, the result is often widespread chaos. When emergency services are affected, this can result in life-threatening circumstances for those in need of aid or with vulnerable characteristics.

The data retained and used by government agencies is also exceptionally sensitive in nature. From important trade agreements and security details, to the personally identifiable information (PII) kept on file regarding those with citizenship and staff in key roles, systems are packed with valuable data that ransomware operators can withhold as leverage or sell on to other malicious operators.

Announcement of a ransomware strike

With a speech delivered via local television, the government of Montenegro provided additional information about the nature of the attack on its infrastructure, confirming that ransomware is responsible for the damage and disruptions.

Maras Dukaj, Public Administration Minister for the Montenegro Government, stated that the ransomware attack was unleashed by an organised cybercriminal group. The minister commented that the impact of the attack was ongoing and had, at the time, already affected services for 10 days. He commented that the attackers had made a ransom demand of $10 million and had used a special virus known as Zerodate in the assault. He was unable, however, to estimate how long it would be before normal services could resume.

False allegations of a Russian ransomware attack

An earlier advisory to the local media in Montenegro from Dukaj, with additional support from Montenegro’s Defence Minister, detailed that they had sufficient evidence to suspect that the cyberattacks on the government had been directed by Russian services.

As a result, the incident was given a geopolitical slant which mobilised Montenegro’s NATO allies to assist it with incident response, defence, and remediation measures.

However, just a day later, a Cuba ransomware gang listed Montenegro’s parliament, known as Skupstina, as one of its victims. The gang’s dedicated ransomware extortion site claimed to host stolen financial documents, including correspondence with banks, tax documents, compensation balance sheets as well as source code.

The stolen data was published on the site’s “free” section. This meant that any visitor to the hacking site would be able to view the exfiltrated information without restrictions.

Cuba ransomware has recently demonstrated considerable evolution. Around three weeks ago, cyber security researchers identified a novel toolset employed by the threat gang, along with tactics, procedures and techniques that had previously been unseen.

Back in June, the ransomware also updated its encryption software with extra options and established a new communication channel to handle ‘live victim support.’

Finally, yet another change observed by experts was the gang’s targeting scope. Back in 2021, Cuba ransomware focused heavily on organisations based in the US but has now extended its reach to include other nations.