Latin American Governments Targeted By Ransomware

Latin American Governments Targeted By Ransomware

insikt-logo-blog.png
Recorded Future examined the recent escalation of cyberattacks on Latin American (LATAM) governments from January 2022 until May 2022. We analyzed vulnerabilities, attack vectors, and indicators of compromise (IOCs), identified the most prevalent ransomware gangs targeting LATAM governments, and highlighted the lack of proper cybersecurity hygiene in the region. This report includes information gathered using the Recorded Future​®​ Platform, dark web sources, and open-source intelligence techniques (OSINT).

Executive Summary

We identified several government entities in Latin America (LATAM) that have been affected by ransomware attacks, likely involving Russian or Russian-speaking threat actors, beginning on or around April 2022. Countries affected include Costa Rica, Peru, Mexico, Ecuador, Brazil, and Argentina, among others, all of which have publicly condemned Russia for invading Ukraine at the United Nations General Assembly (UNGA). Some of these countries also voted to suspend Russia from the United Nations Human Rights Council (UNHRC) in early April 2022. More recently, national emergencies have been issued regarding these attacks, such as in Costa Rica. Ransomware groups involved in these attacks against governments in LATAM include Conti, ALPHV, LockBit 2.0, and BlackByte. We have anecdotally identified a noticeable increase in initial access brokerage (IAB) services on top-tier Russian-language dark web and special access forums such as XSS and Exploit advertising low-cost, compromised network access methods related to entities in LATAM. We have also observed several high-profile database leaks related to entities in LATAM on low-tier and mid-tier English-speaking forums such as BreachForums, with data dumps spiking in April 2022. Additionally, we observed a significant increase in the sale of compromised credentials affecting LATAM government domains on dark web shops in Q1 and Q2 2022, relative to 2021. These observations and trends could represent a paradigm shift in the ransomware and broader cybercriminal community related to “unwritten rules” and internal group policies on the targeting of government entities.

Key Judgments

Threat Analysis

Attack Vectors

As of May 26, 2022, we can not definitively determine the attack vector employed by ransomware operators and affiliates targeting LATAM government entities. However, the most common method by which threat actors obtain initial access to networks is through the use of compromised valid credential pairs (T1078) and session cookies (T1539), which are often harvested from a successful infostealer infection (T1555, T1083) and sold by specialized “initial access brokers” on dark web and special-access sources. This is the most likely avenue by which such threat actors gained access to compromised LATAM government networks. These infostealers are often spread via phishing (T1566), spamming, the unintentional downloading of a malicious (T1204) or masquerading (T1036) file, and various other methods. We have observed a minor, sustained increase in references to initial access sales and database leaks targeting LATAM government entities on dark web and special-access sources, beginning in approximately March 2022. These observations are recorded anecdotally via Insikt Group’s daily threat leads, analyst notes, and reports. We have observed several threat actors, such as “zirochka”, on top-tier Russian-language forums XSS and Exploit auctioning compromised network accesses targeting entities in LATAM in bulk for relatively low prices (< $100).

latin-american-governments-targeted-by-ransomware-0.png
Figure 1: Timeline of ransomware attacks on LATAM government entities, mapped to references to LATAM on dark web and special-access sources (Source: Recorded Future)

We have observed a slight increase in database dumps related to LATAM government entities, beginning in March 2022 and spiking on April 4, 2022. We have also identified a significant increase in Q1 2022, beginning in February 2022, of references to domains owned by government entities in LATAM on dark web shops and marketplaces such as Russian Market, Genesis Store, and 2easy Shop, relative to the same time period in 2021. These dark web shops and marketplaces specialize in the sale of compromised account credentials, remote desktop protocol (RDP) and secure shell (SSH) accesses, and infostealer malware “logs” that can be utilized to gain access to a victim’s network. While we cannot determine any direct or causal link between the increased supply, frequency, and volume of advertisements targeting government entities and domains in LATAM to ransomware attacks targeting LATAM government entities, we believe that such trends and observations warrant further research to analyze and determine any possible correlation.

latin-american-governments-targeted-by-ransomware-1.png

latin-american-governments-targeted-by-ransomware-2.png
Figure 2: Examples of bulk initial access auctions targeting unspecified entities in LATAM (Source: Exploit Forum)
Ransomware Gangs Targeting LATAM Government Entities

We have observed at least 4 high-credibility ransomware gangs targeting LATAM government entities during a period of time beginning on April 1, 2022. These gangs include Conti, ALPHV (BlackCat), LockBit 2.0, and BlackByte. These incidents constitute a significant escalation in the severity and impact of ransomware targeting. Generally, ransomware affiliates avoid targeting healthcare facilities, K-12 educational institutions, international organizations and coalitions, and local, provincial, or federal governments. The risk of negative publicity and stigmatization on dark web and special-access forums, mainstream media attention, and international law enforcement activity increases dramatically once targets in these industries are attacked. It is possible that the targeting of LATAM entities by presumably Russian or Russian-speaking ransomware gangs could mark the beginning of a paradigm shift in which targets that were previously internally sanctioned by the group could now become viable targets for ransomware operations.

Conti

The most noteworthy of these targets is the attack on the government of Costa Rica by Conti, which resulted in the world’s first nationwide emergency declared as the result of a ransomware attack. The attack, likely perpetrated and publicized by ransomware affiliate or affiliate group “unc1756”, also likely known as “wazawaka”, has garnered widespread media and law enforcement attention. Since affiliates often work independently from the larger ransomware “brand”, it is possible that the attacks on Costa Rica that were claimed by Conti are not the work of the larger group. Conti has claimed to have exfiltrated, encrypted, or destroyed approximately 1TB of sensitive information related to the administration and operations of several Costa Rican entities including the Ministry of Finance (hacienda[.]go[.]cr), the Ministry of Labor and Social Security (mtss[.]go[.]cr), the Development Fund and Family Allowances Bureau (fodesaf[.]go[.]cr), and the Interuniversity Headquarters of Alajuela, Costa Rica (siua[.]ac[.]cr). Previous Conti posts also made vague references to controlling public utilities such as water and electricity, likely indicating indirectly that the group had access to Costa Rican industrial control system / supervisory control and data acquisition (ICS/SCADA) environments. However, we are not able to verify these claims. Conti followed their claims of an attack on Costa Rica with an attack on Peru that affected the General Directorate of Intelligence (digimin[.]gob[.]pe) and Ministry of Economics and Finance (mef[.]gob[.]pe).

latin-american-governments-targeted-by-ransomware-3.png

latin-american-governments-targeted-by-ransomware-4.png
Figure 3: Announcements of attacks on Costa Rican and Peruvian government entities by the Conti Gang (Source: Conti.News)

ALPHV (BlackCat)

On April 16, 2022, the ransomware gang ALPHV (BlackCat) leaked an unspecified amount of compromised data related to the Municipality of Quito, Ecuador (quito[.]gob[.]ec). This marked the first time that ALPHV targeted a government entity located in LATAM. According to Ecuadorian media, this attack took several services offline for an unspecified amount of time. This is a noteworthy event, as the Mayor’s Office of Municipality of Quito and State Attorney General’s Office confirmed that the initial attack caused the “suspension” of several critical government services, which caused an “inconvenience to users who have not been able to carry out procedures.” As of April 25, 2022, all of the information claimed to have been exfiltrated by ALPHV is available to download for free on a .onion domain provided on the public-facing ALPHV extortion website with the same name. Compromised information likely includes sensitive financial, legal, and political documents related to the operations and administration of the Municipality of Quito, Ecuador. This information, if leveraged by an opportunistic threat actor, criminal, or nation-state, could prove to be damaging to Ecuador’s national security.

latin-american-governments-targeted-by-ransomware-5.png
Figure 4: Announcements of an attack on the Municipality of Quito, Ecuador from the BlackCat Ransomware Group (Source: ALPHV)

LockBit 2.0

On May 23, 2022, the LockBit 2.0 ransomware gang published to their blog leaked files related to the Secretary of Health of the State of Morelos, Mexico (saludparatodos[.]ssm[.]gob[.]mx), a breach that was initially disclosed on or around May 16, 2022. This disclosure followed a previous claim on April 22, 2022 that LockBit 2.0 had compromised the network of the Secretary of State for Finance of Rio De Janeiro, Brazil (fazenda[.]rj[.]gov[.]br). Neither of these incidents were widely reported in either Mexican or Brazilian media. As of April 25, 2022, it is unclear whether the attacks resulted in a significant disruption of critical services related to the government entities. Additionally, also as of April 25, 2022, all of the information claimed to have been exfiltrated by the LockBit 2.0 ransomware gang is available to download for free on the public-facing LockBit 2.0 extortion website called LockBit 2.0 Leaked Data. The compromised information likely includes sensitive financial, legal, and political documents related to the operations and administration of these entities. This information, if leveraged by an opportunistic threat actor, criminal, or nation-state, could prove to be damaging to the national security of Mexico and Brazil.

latin-american-governments-targeted-by-ransomware-6.png

latin-american-governments-targeted-by-ransomware-7.png
Figure 5: Announcements of attacks on Mexican and Brazilian government entities by the LockBit Gang (Source: LockBit Blog)

BlackByte

On May 21, 2022, the BlackByte ransomware operators published claims on their public-facing extortion website named BlackByte Blog that they had compromised the internal network of the Comptroller General of the Republic of Peru (contraloria[.]gob[.]pe). As of April 25, 2022, the BlackByte ransomware operators have not published any noteworthy data related to this government entity. This attack has yet to be confirmed by any representatives of the Comptroller General of Peru and has not been extensively reported on in Peruvian or Spanish-language media. As of this writing, we cannot determine if this attack caused the disruption of critical services provided by the comptroller general, although it is likely that any detected service disruptions on the domain are related to this attack.

latin-american-governments-targeted-by-ransomware-8.png
Figure 6: Announcement of an attack on a Peruvian government entity by the BlackByte Ransomware Gang (Source: BlackByte Blog)

Although most countries in LATAM have adopted a national cybersecurity strategy, there is still much work yet to be done in terms of improving the cyber capacity and security posture in both the private and public sectors; at the moment, only 3 LATAM countries (Brazil, the Dominican Republic, and Mexico) are members of the 30-plus-country ransomware task force. The most effective investment would be to give residents in LATAM and the Caribbean in-person or remote access to IT security-oriented schools and training institutions. Educational and training institutions in the region simply cannot keep up with the current demand for IT security professionals. Investments in education, training, and apprenticeship programs would make the most difference in building capacity, closing the cyber skills gap, and getting more individuals into the cyber talent pipeline. Supporting and encouraging younger individuals to seek an education and training within the cyber realm can drastically affect the skills shortage and improve public awareness on cyber threats; the region has been particularly affected by cybercrime and fraud during the pandemic.

While it is difficult to evaluate countries given their alternative approaches to cybersecurity, some have decided to leave cybersecurity to private firms while others have leaned on government agencies and the military to combat cybercriminals. According to the Organization of American States (OAS) cybersecurity observatory, most LATAM countries are in the early stages of cybersecurity development. As a result, there is still a lot to accomplish and implement in terms of cyber security policies in Central American and Caribbean countries. Nevertheless, countries such as Argentina, Dominican Republic, Ecuador, Panama, and Peru, among others, are making significant efforts to advance their cyber capabilities. However, there is a small list of countries with established policies, legal frameworks, institutional capacity, and human capital resources, including Brazil, Uruguay, Colombia, and Chile. And although they are still developing, countries such as Brazil, Colombia, Chile, and Mexico have taken the lead in broadening their institutional capacities, including the development of cyber laws, policies, and regulations. There is also increased expertise in the private sector, primarily the financial sector, within these nations.

Mitigations

It is crucial to maintain offline backups of your organization’s data and ensure that these backups stay up to date to prevent data loss in the event of a ransomware infection. Additionally, we recommend the following mitigations to reduce overall risk and impact:

Outlook

Ransomware will likely continue to be incorporated into the attack methods of threat actors targeting public and private entities in LATAM due to their availability as ransomware-as-a-service (for non-technical threat actors) and highly successful infection rates. Compromised accounts and networks are highly sought after by threat actors and will remain in high demand because they can be used in a number of attack vectors, including but not limited to account takeovers, identity theft, social engineering, credential stuffing, and brute forcing. As LATAM is an up-and-coming region whose security posture is not as sophisticated or developed as some other regions for various reasons (geopolitical circumstances and developing infrastructure, among others), threat actors may view LATAM entities as easy targets for harvesting sensitive and financially lucrative accounts via infostealer infections.

As incident response teams in the region build up their security posture, threat actors are likely to continue to enhance and create infostealer variants to target organizations in LATAM with the intent of harvesting personal and corporate account login details and other important data.