IFX Networks supply-chain ransomware attack

In September 2023, a ransomware attack on IFX Networks — a regional cloud, hosting, and connectivity provider — turned into one of the most disruptive supply-chain incidents in Latin American history, cascading from a single technology vendor into the heart of the Colombian state.

What happened

On 12 September 2023, threat actors deployed ransomware inside IFX Networks' infrastructure, encrypting systems that hundreds of customers relied on for hosting and data storage. Because so many Colombian institutions outsourced services to IFX, the impact rippled outward almost immediately.

The Ministry of Health and Social Protection, the Judiciary Branch, and the Superintendency of Industry and Commerce all reported that they could no longer function normally. One affected database reportedly held over 50 million records belonging to the Ministry of Health. The Judiciary was forced to suspend procedural deadlines nationwide as courts lost access to case-management systems.

Scale

President Gustavo Petro stated that more than 50 Colombian state and private entities were hit. The Office of the President later said the attack affected 762 companies across Latin America, with IFX supplying services to organisations in 17 countries on the sub-continent. The breadth made it a textbook demonstration of concentration risk: compromising one managed-service provider yielded simultaneous access to dozens of downstream victims.

Attribution

No ransomware group publicly claimed the attack at the time. However, researchers at elHacker.net circulated material suggesting the RansomHouse extortion group — already linked to the 2022 Keralty health-network breach in Colombia — may have been responsible. IFX Networks itself confirmed it had suffered a ransomware incident affecting a subset of its hosting platform.

Government response

The Colombian government took an unusually combative posture toward its own vendor. ICT Minister Mauricio Lizcano said he had ordered administrative actions against IFX Networks and was coordinating a civil lawsuit and a possible criminal case, alleging that the breach resulted from the company's negligence and that IFX's communication with affected clients was inadequate. The Attorney General's office opened an investigation.

Why it matters

IFX Networks crystallised the danger of state dependence on third-party cloud providers without enforceable security and incident-response guarantees. A single compromised vendor degraded health services, halted court proceedings, and disrupted regulators across an entire nation — and beyond its borders. The incident accelerated debate in Colombia and the wider region over supply-chain due diligence, mandatory breach notification for critical suppliers, and the resilience of outsourced public-sector IT.

Timeline

September 12, 2023

A ransomware attack hits regional cloud and hosting provider IFX Networks, encrypting infrastructure used by hundreds of customers.

September 13, 2023

Colombian government agencies including the Ministry of Health, the Judiciary Branch, and the Superintendency of Industry and Commerce report service disruptions.

September 14, 2023

President Gustavo Petro states that more than 50 Colombian state and private entities have been affected.

September 15, 2023

Colombia's ICT Minister Mauricio Lizcano announces administrative actions and a possible civil and criminal case against IFX Networks; the government says 762 organisations across 17 Latin American countries were affected.

September 19, 2023

Courts suspend judicial deadlines nationwide as the Judiciary works to restore systems and recover access to case data.

Sources

therecord.mediahttps://therecord.media/colombia-government-ministries-cyberattack

cyberdaily.auhttps://www.cyberdaily.au/government/9583-colombian-government-seeks-legal-action-after-cyber-attack-affects-762-organisations

scworld.comhttps://www.scworld.com/brief/third-party-ransomware-attack-disrupts-major-colombian-government-agencies

financecolombia.comhttps://www.financecolombia.com/colombian-governmental-websites-hit-by-cyberattack-on-third-party-service-provider-ifx-networks/

thedefensepost.comhttps://thedefensepost.com/2023/09/15/colombia-cyberattack-latin-america/

Related incidents

RansomwareContainedDecember 8, 2023

Westpole LockBit ransomware — Italian PA outage (2023)

LockBit 3.0 encrypted the data centres of Italian cloud provider Westpole, taking down PA Digitale's Urbi platform — which serves 1,300 Italian public administrations including 540 municipalities, the Quirinale presidency, ISTAT, the Bank of Italy, and the Ministry of Environment. Payroll, citizen services, and local-government workflows were degraded for weeks.

Victim: Westpole / PA Digitale (Urbi platform)

RansomwareinvestigatedMay 23, 2023

Xplain ransomware attack and Swiss federal data leak

The Play ransomware gang breached Swiss IT supplier Xplain and leaked around 65,000 documents on the darknet, including sensitive Federal Administration files from the justice, police, and defence departments.

Victim: Xplain AG
Records: 65.0K

RansomwareContainedMay 23, 2023

Xplain Play ransomware and Swiss federal documents leak (2023)

Play ransomware breached Swiss IT services provider Xplain, exfiltrating 1.3 million files. Approximately 65,000 documents belonging to the Swiss Federal Administration — including classified content, personal data, and readable passwords — were published on Play's dark-web leak site in June 2023.

Victim: Xplain (Swiss IT services provider to the Federal Administration)
Records: 1.3M

RansomwareContainedOctober 28, 2023

British Library Rhysida ransomware (2023)

Rhysida ransomware operators destroyed servers, demanded ~£600,000, and leaked 600 GB of internal data when the British Library refused to pay. The main catalogue did not return online — read-only — until January 2024. Recovery is consuming 40% of the Library's financial reserves.

Victim: British Library
Loss: $8.5M