{
	"id": "cec29a0c-bfa3-44eb-9618-2227b29d24c7",
	"created_at": "2026-04-06T00:12:38.860297Z",
	"updated_at": "2026-04-10T03:21:34.261695Z",
	"deleted_at": null,
	"sha1_hash": "1fa4340913d13c0b557e9588d72d3dbbfbd04c16",
	"title": "Ransomware gang demands $7.5 million from Argentinian ISP",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38536,
	"plain_text": "Ransomware gang demands $7.5 million from Argentinian ISP\r\nBy Catalin Cimpanu\r\nPublished: 2020-07-20 · Archived: 2026-04-05 21:43:01 UTC\r\nA ransomware gang has infected the internal network of Telecom Argentina, one of the country's largest internet\r\nservice providers, and is now asking for a $7.5 million ransom demand to unlock encrypted files.\r\nThe incident took place over the weekend, on Saturday, July 18, and is considered one of Argentina's biggest\r\nhacks.\r\nSources inside the ISP said hackers caused extensive damage to the company's network after they managed to gain\r\ncontrol over an internal Domain Admin, from where they spread and installed their ransomware payload to more\r\nthan 18,000 workstations.\r\nThe incident did not cause internet connectivity to go down for the ISP's customers, nor did it affect fixed\r\ntelephony or cable TV services; however, many of Telecom Argentina's official websites have been down since\r\nSaturday.\r\nSince the attack's onset, multiple Telecom employees have now also taken to social media to share details about\r\nthe incident, and how the ISP has been managing the crisis.\r\nAccording to images shared online, the ISP appears to have detected the intrusion right away and has been\r\nactively warning employees through internal alerts to limit their interaction with the corporate network, not to\r\nconnect to its internal VPN network, and not open emails containing archive files.\r\ntelecom-revil-internal-alert.jpg\r\nImage source: [protected]\r\ntelecom-revil-warning.jpg\r\nImage source: [protected]\r\nThe attackers have also been identified as the REvil (Sodinokibi) ransomware group, according to a now-deleted\r\ntweet showing the ransomware gang's dark web portal -- the page where victims are directed to make payments.\r\nThis web page currently shows a ransom demand of 109345.35 Monero coins (~$7.53 million), a sum that will\r\ndouble after three days, making this one of the largest ransom demands requested in a ransomware attack this year.\r\ntelecom-revil-page.png\r\nImage source: [unknown]\r\nTelecom Argentina has not commented on the incident, when contacted by local press, and did not say if it intends\r\nto pay the ransom demand.\r\nhttps://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp/\r\nPage 1 of 2\n\nLocal media has also reported that the ISP believes the hacker's point of entry is a malicious email attachment\r\nreceived by one of its employees, but this does not generally fit with the REvil gang's normal modus operandi.\r\nAccording to a report from security firm Advanced Intel, for the past year, the REvil gang has specialized in\r\ncarrying out network-based intrusions, targeting unpatched networking equipment as the entry point into victim\r\norganizations, and before spreading laterally through a company's network.\r\nIn the past, REVil operators have targeted Pulse Secure and Citrix VPN and enterprise gateway systems as entry\r\npoints.\r\nIn a conversation on Sunday, threat intelligence company Bad Packets has told ZDNet that Telecom Argentina not\r\nonly ran Citrix VPN servers, but had also ran a Citrix instance vulnerable to the CVE-2019-19781 security bug\r\nmonths after a patch had been made available.\r\nSome security researchers have pointed the finger at two files uploaded on the VirusTotal web antivirus scanner as\r\nbeing used in the Telecom Argentina attack, although we could not immediately verify this claim.\r\nThe REvil ransomware gang also maintains a dark web portal where it leaks data it stole from infected hosts in\r\ncase the companies don't pay. At the time of writing, the REvil \"leak site\" did not list Telecom Argentina as one of\r\nthe victim organizations the REvil gang planned to leak files from.\r\nThis is also the REvil gang's second attack against the network of an internet service provider. The REvil gang\r\nalso targeted Sri Lanka Telecom, the largest fixed telephony provider in Sri Lanka, in May.\r\nSource: https://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp/\r\nhttps://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp/"
	],
	"report_names": [
		"ransomware-gang-demands-7-5-million-from-argentinian-isp"
	],
	"threat_actors": [],
	"ts_created_at": 1775434358,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1fa4340913d13c0b557e9588d72d3dbbfbd04c16.pdf",
		"text": "https://archive.orkl.eu/1fa4340913d13c0b557e9588d72d3dbbfbd04c16.txt",
		"img": "https://archive.orkl.eu/1fa4340913d13c0b557e9588d72d3dbbfbd04c16.jpg"
	}
}