SERNAC government ransomware attack

On 25 August 2022, Chile's Servicio Nacional del Consumidor (SERNAC) — the national consumer-protection agency — was hit by a ransomware attack that encrypted its servers and disrupted its systems and online services, becoming one of the most prominent attacks on a Chilean public institution that year.

What happened

The incident targeted the Microsoft and VMware ESXi servers on SERNAC's corporate networks. The ransomware had the capability to stop all running virtual machines and then encrypt files, which took on the .crypt extension. The attacker gained full control of the affected systems and left a ransom note specifying the volume of data it claimed to have seized.

Because the malware specifically targeted VMware ESXi hypervisors, it could disable large numbers of virtualized workloads at once — a technique that had become increasingly common in 2022. Security researchers who analyzed the sample noted behavior consistent with the RedAlert (also tracked as N13V) ransomware family, which was purpose-built to encrypt ESXi environments on both Windows and Linux.

Government response

Chile's government Computer Security Incident Response Team (CSIRT), the cybersecurity authority within the Ministry of Interior, escalated the SERNAC incident into a state-wide cybersecurity alert on 29 August, instructing all government agencies and partner entities to review their defenses, apply mitigations, and watch for the indicators of compromise associated with the attack. The alert reflected concern that the same actor or technique could spread across other public bodies.

Impact

SERNAC's systems and online services were interrupted, affecting the agency's consumer-protection operations.
Files on the compromised Microsoft and VMware ESXi servers were encrypted with a .crypt extension.
The Chilean government issued a national-level alert to the entire state apparatus as a precautionary measure.
There is no public confirmation that a ransom was paid.

Why it matters

The SERNAC attack came in a year when ESXi-targeting ransomware surged globally, exploiting the fact that a single hypervisor compromise can encrypt dozens of virtual servers simultaneously. For Chile, hitting a consumer-protection regulator just months after the Guacamaya military leak reinforced a perception of systemic weakness in public-sector cyber defenses and added urgency to the country's legislative push for a National Cybersecurity Framework and a dedicated National Cybersecurity Agency (ANCI). The CSIRT's rapid escalation to a whole-of-government alert also illustrated a maturing, if still reactive, national incident-response posture in which one agency's breach is treated as a warning to all.

Timeline

August 25, 2022

Ransomware compromises SERNAC's Microsoft and VMware ESXi servers, halting virtual machines and encrypting files with a '.crypt' extension.

August 29, 2022

The Chilean government CSIRT issues a state-wide cybersecurity alert after the incident has run for several days.

August 30, 2022

Authorities confirm the attack is ransomware and circulate indicators of compromise to other public bodies.

September 2, 2022

Security researchers analyze the malware, noting capabilities consistent with the RedAlert/N13V ESXi-targeting ransomware family.

September 1, 2022

SERNAC works to restore services and rebuild affected infrastructure while keeping consumer-protection operations running.

Sources

incibe.eshttps://www.incibe.es/en/incibe-cert/publications/cybersecurity-highlights/chilean-governments-csirt-reports-ransomware-attack-sernac

welivesecurity.comhttps://www.welivesecurity.com/la-es/2022/09/02/ataque-ransomware-compromete-sistemas-sernac-chile/

biobiochile.clhttps://www.biobiochile.cl/noticias/nacional/chile/2022/08/30/csirt-emite-alerta-de-seguridad-cibernetica-para-todo-el-estado-tras-hackeo-al-sernac.shtml

elmostrador.clhttps://www.elmostrador.cl/noticias/pais/2022/08/29/ente-tecnico-del-gobierno-emite-alerta-al-estado-por-ataque-informatico-al-sernac/

Related incidents

RansomwareContainedApril 17, 2022

Conti ransomware attack on the Government of Costa Rica

Conti encrypted 27 Costa Rican government institutions including the Ministry of Finance, paralyzing tax collection and customs for months. President Chaves declared a national emergency — the first cyber-incident state of emergency in history.

Victim: Government of Costa Rica (27 institutions incl. Ministry of Finance, Customs, Social Security)
Loss: $130.0M

RansomwareOngoingMay 24, 2026

Eyguières town hall paralyzed by ransomware

On 22 May 2026, the town hall of Eyguières (Bouches-du-Rhône, ~7,000 inhabitants) was hit by a Qilin ransomware attack that took down its municipal IT systems and put residents' administrative and personal data at risk of compromise.

Victim: Eyguières town hall

RansomwareContainedMay 5, 2026

Quiberon: municipal services disrupted after a cyberattack

On 3 May 2026 the town of Quiberon (Morbihan, France) was hit by a Qilin ransomware attack that encrypted part of its IT systems and exfiltrated personal data; the city refused the ransom and began a gradual, secured rebuild of its infrastructure.

Victim: Quiberon town hall

RansomwareOngoingFebruary 24, 2026

Leak at the Civil Aviation Safety Organisation

In February 2026 the LAPSUS$ extortion group claimed the theft of about 420 GB of data from France's Civil Aviation Safety Organisation (OSAC), including ID cards, passports, diplomas, proof-of-address documents and internal files; the data was later leaked in full.

Victim: Civil Aviation Safety Organisation