Ransomware Attack on AFTS Creates Domino Effect Across the US

• The “Cuba” ransomware has hit ‘AFTS,’ compromising numerous US states as a result.
• The entities are sending notices of a breach to their citizens, but there is probably a lot more that hasn’t been realized.
• The details that the malicious actors may have accessed are highly sensitive.

Several US states are now distributing notices of a security breach, all affected by a ransomware attack against AFTS (Automatic Funds Transfer Services). AFTS is a payment processing, mailing, printing, coupon, and billing service provider who is contracted by several DMVs (Department of Motor Vehicles) and also cities in the United States, so a security breach on the provider means a compromise of people who are registered in the affected DMVs.

The list includes the following:

• California Department of Motor Vehicles
• City of Kirkland, Washington
• City of Monroe, Washington
• City of Redmond, Washington
• City of Seattle, Washington
• Lakewood Water District
• Port of Everett

It is very likely that the affected entities are not only those found in the above list, but some of them may not have realized it yet, or they simply don’t care to make an announcement about it. Due to the sensitivity of the details that have been leaked in most cases, we would advise you to remain vigilant against incoming communications of all types and contact your local DMV and state government and ask for assurances.

Based on the various notifications that are out, we can deduce that the following type of data was exposed to the ransomware actors:

• Full names
• Physical addresses
• License plate numbers
• Vehicle registration records
• Vehicle ID numbers (VINs)
• Dates of Birth
• State ID numbers
• Credit card numbers
• Social security numbers (SSNs)

Of course, not all of the above applies to each entity as not all of them collected the same type of data from their citizens or let AFTS process it. In some cases, the notices declare uncertainty as to whether this data was even exfiltrated by the actors, so nothing is definite at this point. Obviously, there will be an investigation into this far-reaching incident, so we’ll get to know more about the extent of the breach soon.

The malicious actors are of the “Cuba” ransomware group, which uses the RSA-2048 encryption scheme and focuses on MS Windows systems. This is a relatively new and still unproven group that first appeared last year, and according to researchers, it was derived from the “Buran” family. At the moment of writing this, the AFTS website remains offline, so the company is still struggling to contain the infection and potentially restore their systems from backups.