Dirección Nacional de Migraciones Netwalker ransomware attack

On 27 August 2020, Netwalker ransomware struck Argentina's Dirección Nacional de Migraciones, the national immigration agency — one of the first ransomware incidents to directly disrupt a country's border-control operations.

What happened

Around 7 AM, immigration offices across Argentina began reporting that they could not access their systems. The Netwalker (also known as Mailto) ransomware had encrypted Windows servers and workstations, targeting Active Directory SYSVOL, System Center DPM, and Microsoft Office files across shared directories and user machines.

The agency's Sistema Integral de Captura Migratoria (SICaM) — the system that processes entries and exits at international checkpoints — was particularly affected. To stop the malware spreading, Migraciones shut down the computer networks at its offices and border posts, suspending all border crossings into and out of Argentina for roughly four hours until servers could be restored from backups.

The ransom

The Netwalker operators left a ransom note demanding $2 million in cryptocurrency, posted to a dark-web payment portal that displayed samples of stolen data. The note warned that the amount would increase if not paid within seven days. When the deadline passed, the demand rose to $4 million — approximately 355 bitcoins.

The Argentine government, through the Ministry of Interior, stated firmly that it would not negotiate with the attackers and expressed little concern about ransom-based data recovery, relying instead on restoration from backups. After payment was refused, the operators leaked roughly 1.8 GB of internal documents as retaliation.

Impact

All Argentine border crossings were suspended for about four hours, an unprecedented operational impact from ransomware on national infrastructure.
Stolen and partially leaked data included internal administrative documents; reporting also referenced records tied to repatriations during the COVID-19 pandemic.
Operations were restored from backups; no ransom was paid.

Why it matters

The Migraciones attack was a landmark demonstration that ransomware could halt a sovereign function — the ability to control who enters and leaves a country — not merely encrypt corporate files. Netwalker operated as a ransomware-as-a-service affiliate program and was among the most prolific extortion operations of 2020, targeting hospitals, universities, and governments worldwide before a coordinated international law-enforcement action in January 2021 seized its infrastructure and charged a key affiliate. Argentina's decision to refuse payment and restore from backups became a reference point for public-sector ransomware response in Latin America, while the four-hour border closure underscored how thin the operational margins of critical government systems can be.

Timeline

August 27, 2020

Around 7 AM, immigration offices report being unable to access systems; Netwalker ransomware has encrypted Windows servers and workstations.

August 27, 2020

To contain the spread, Migraciones shuts down networks at checkpoints, suspending all border crossings for roughly four hours.

August 28, 2020

Attackers demand a $2 million ransom via a dark-web portal, threatening to double it if unpaid.

September 3, 2020

After seven days, the ransom demand rises to $4 million (about 355 bitcoins). Argentina states it will not negotiate.

September 4, 2020

With the deadline passed and no payment, the operators leak roughly 1.8 GB of stolen internal documents.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/netwalker-ransomware-hits-argentinian-government-demands-4-million/

securityaffairs.comhttps://securityaffairs.com/107987/malware/netwalker-ransomware-argentina-immigration-agency.html

lanacion.com.arhttps://www.lanacion.com.ar/tecnologia/migraciones-como-fue-ataque-del-ransomware-netwalker-nid2446451/

infobae.comhttps://www.infobae.com/tecno/2020/09/05/quienes-estan-detras-del-hackeo-a-migraciones-y-como-funciona-netwalker-el-software-malicioso-utilizado/

Related incidents

RansomwareResolvedNovember 3, 2020

Brazil Superior Court (STJ) RansomExx attack

The RansomExx gang encrypted more than 1,000 servers at Brazil's Superior Tribunal de Justiça, paralysing the country's second-highest court for over a week in the most severe cyberattack ever against a Brazilian public institution.

Victim: Superior Tribunal de Justiça (STJ)

RansomwareOngoingMay 24, 2026

Eyguières town hall paralyzed by ransomware

On 22 May 2026, the town hall of Eyguières (Bouches-du-Rhône, ~7,000 inhabitants) was hit by a Qilin ransomware attack that took down its municipal IT systems and put residents' administrative and personal data at risk of compromise.

Victim: Eyguières town hall

RansomwareContainedMay 5, 2026

Quiberon: municipal services disrupted after a cyberattack

On 3 May 2026 the town of Quiberon (Morbihan, France) was hit by a Qilin ransomware attack that encrypted part of its IT systems and exfiltrated personal data; the city refused the ransom and began a gradual, secured rebuild of its infrastructure.

Victim: Quiberon town hall

RansomwareOngoingFebruary 24, 2026

Leak at the Civil Aviation Safety Organisation

In February 2026 the LAPSUS$ extortion group claimed the theft of about 420 GB of data from France's Civil Aviation Safety Organisation (OSAC), including ID cards, passports, diplomas, proof-of-address documents and internal files; the data was later leaked in full.

Victim: Civil Aviation Safety Organisation