Ransomware hits Brazil’s National Treasury

Sheila Zabeu -

August 17, 2021

The National Treasury Secretariat (STN), linked to the Brazilian Ministry of Economy, suffered a ransomware attack last 13 August.

According to a note posted on the institution’s website, containment measures were immediately applied, and the Federal Police was called in. The effects of the criminal acts are being evaluated by security experts from the STN and the Digital Government Secretariat, and remedial measures are being taken.

Also according to the STN, the action did not cause any damage to the institution’s structuring systems, including the Integrated System of Financial Administration (SIAFI) and those related to the Public Debt.

The National Treasury Secretariat is responsible for managing the federal government’s financial resources, which come mainly from taxes paid by citizens. It also assesses the country’s fiscal situation and issues the country’s public debt bonds, which have become a Brazilian investment program, Tesouro Direto, whose banner is to be a way of investing money safely.

According to the CISOAdivisor website, weeks ago, operators of the Everest ransomware group mentioned in a post that they had gained access to a network of the National Treasury Attorney General’s Office. According to the hackers, a total of 3.1 GB of data had been posted, however, the files were deleted from the posting address. The post did not mention hitting the Ministry of Economy.

Other events

This is not the first case of a ransomware attack on Brazilian governmental bodies that have been reported recently.

In November 2020, the Supreme Court of Justice (STJ) was inoperable after suffering an attack during trial sessions. As a precaution, virtual and videoconference trial sessions were suspended, in addition to procedural deadlines, until the systems were restored. Also according to the CISOAdivisor website, an audio report made by an employee of the body’s IT area indicates that it was a ransomware attack through which more than 1,200 servers were encrypted, most of the virtual machines.

The report states that the virtualized environment was encrypted with all the information of the IT department of the STJ, except for judicial processes that are run in a separate area of the virtualized system. According to the professional who made the report, “the entire IT is almost in mourning because one does not expect such an incident to occur.

A ransom note recovered from one of the encrypted computers shows that the RansomExx gang was behind the STJ break-in.

According to an anonymous source on the Bleemping Computer website, the systems of the Court of Justice of the State of Pernambuco (TJPE) were also hit by the RansomExx group on 27 October 2020, having the files encrypted with the .tjpe911 extension. RansomEXX is highly targeted, with each of its samples having the encrypted name of the victim organization. Furthermore, both the encrypted file extension and the email address to contact the cyber gang uses the victim’s name.

RansomExx operators also published confidential documents from Embraer, Brazil’s leading aerospace industry and one of the most important in the world, on the Dark Web in late 2020. The group had hacked into the company’s network and encrypted servers. The names of the leaked files suggest they deal with commercial contracts, photos of flight simulations, and source code, among others.

Recently, Taiwanese hardware component manufacturer Gigabyte also fell victim to the RansomEXX group, which threatened to publish 112 GB of stolen data if a ransom was not paid. The attack occurred in early August and affected several of the company’s websites, including its support site.

Responsible for generating financial losses and paralyzing companies’ activities, ransomware attacks are following a major upward trend in Brazil. According to data from Check Point Software, actions of this type have increased by 92% in the country since the beginning of 2021, following a global trend that recorded a 41% rise in attacks in the period.

According to the company, Latin America and Europe were the territories that suffered the most from ransomware attacks, recording highs of 62% and 59% in their numbers respectively. The sectors that have suffered the most are education (up 347%), transportation (186%), retail/wholesale (162%), and healthcare (159%).

Key trends indicated by Check Point include:

• Global increase in cyber attacks: in the first half of 2021, in the EMEA region, the average weekly amount of attacks per organization was 777, an increase of 36%. Organizations in the APAC region experienced 1,338 weekly attacks, an increase of 13%. Specifically in Europe, there was a 27% increase, while Latin America had a 19% increase in weekly attacks on organizations.

• There has been an increase in ransomware and “triple extortion” attacks: Globally, the number of ransomware attacks on organizations increased 93% in the first half of 2021 compared with the same period last year. Increasingly, in addition to stealing sensitive data from organizations and threatening to release it publicly unless a ransom payment is made, attackers are now targeting those organizations’ customers and/or business partners and demanding a ransom amount from them as well.

•  Supply chain attacks have also increased: the well-known SolarWinds supply chain attack stands out in 2021 due to its scale and influence, however other sophisticated supply chain attacks have occurred, such as Codecov in April and more recently against Kaseya.

• There is a race to become Emotet’s successor: after this botnet went down in January, other malware is rapidly gaining popularity, such as Trickbot, Dridex, Qbot, and IcedID.

Forecast for the second half of 2021

According to analysts atCheck Point, ransomware will grow despite legal efforts against attacks and threats. The increasing use of system penetration tools will give hackers the ability to customize their attacks in real-time. The popularisation of attacks that target collateral victims will require a specific security strategy that seeks to minimize this damage.

“In the first half of 2021, cybercriminals continued to adapt their practices to exploit the shift to hybrid working, targeting organizations’ supply chains and network links to partners to cause as many disruptions as possible,” says Maya Horowitz, director of Threat Intelligence Research at Check Point Research (CPR) division.