Increase in ransomware attacks in Latin America worries organizations

May 22nd, 202430 de outubro de 2024

Latin America in the crosshairs of cybercrime: increase in ransomware attacks worries organizations

By Ismael Rocha: In recent months, we have seen a significant drop in the activity of some of the most notorious ransomware groups. Several operations by international authorities have resulted in arrests and the dismantling of these criminals' infrastructures, impacting their ability to operate. However, while some groups disappear, new malicious actors quickly occupy the vacuum left by these malicious actors.

These new groups often adopt innovative and more sophisticated tactics, making it difficult to defend against attacks. The constant evolution of cyber threats reflects the resilience of criminals to adapt to new circumstances for illegal financial gain.

Attacks on Latin America

In 2024, Latin America has faced a significant increase in ransomware attacks. These criminal groups have become more sophisticated, using advanced tactics to extort large sums of money from victims. Governments and companies in the region are being targeted, resulting in significant service disruptions and financial losses. Critical infrastructure, such as hospitals and transportation systems, are also being targeted frequently. The lack of adequate resources and technology makes it difficult to respond efficiently to these attacks.

Observed ransomware groups

Recently, ransomware groups have intensified their attacks in Latin America, specifically in Brazil, hitting various industries and governments in the region. Some of the most notable groups are:

Qiulong

It is a ransomware group that emerged in 2024, possibly with Asian origins, but with significant operations in Latin America, especially in Brazil. The name "Qiulong" can be translated as "hornless dragon" or "horned dragon", suggesting a connection with Asian culture, although the group has focused its activities on South America.

Methods and tactics

Qiulong uses the double kidnapping technique, where they not only encrypt victims' systems, but also steal sensitive data. This increases the pressure on victims to pay the ransom, as the stolen data could be made public if the ransom is not paid. They begin the attack by compromising exposed remote services and using phishing to gain initial access to victims' networks.

*Group's .onion page for leaks of victims' information-Qiulong*

Arcus Media

This group was recently identified by the ISH's Heimdall intelligence team and has been observed attacking organizations in South America. So far, most of the attacks have targeted organizations in Brazil. This group uses advanced double extortion tactics, where they not only encrypt victims' data, but also threaten to disclose sensitive stolen information, increasing the pressure on victims to pay the ransom.

Other well-known ransomware groups have also been observed carrying out attacks against organizations in Brazil and Latin America, such as Trigona, Hunters International, Rhysida, LockBit variant, Ransomhub, DarkVaul, Akira and others.

Statistics by term

A quick search for statistics on Google Trends for the term Ransomware in Brazil, comparing the first half of 2023 to this year 2024 until the month of May, it is notable that this year there are already more searches made by Brazilians for the term ransomware, which is consistent with the attacks that the country has suffered lately as people and organizations are becoming more aware of the subject.

Comparison of statistics for the year 2023/2024 - **Color Blue=2023, Color Red=2024**

Methods used for successful operations

The ransomware groups attacking organizations in Latin America, especially in Brazil, use various effective methods to break into systems. Phishing and spear phishing are common tactics, in which malicious emails are sent to trick victims into clicking on infected links or attachments.

Exploiting vulnerabilities in outdated software is another frequent technique, allowing attackers to gain access through known security flaws. In addition, brute force attacks and leaked credentials are used to compromise accounts with weak or reused passwords. Another method includes the use of remote access malware (RATs), which allows attackers to control infected systems.

Social engineering is also widely employed, manipulating employees into revealing sensitive information or downloading malicious software. These methods, combined with advanced evasion techniques to avoid detection by security tools, significantly increase the chances of success of ransomware attacks in the region.

How to protect yourself from ransomware attacks?

Protection against ransomware groups is crucial for organizations in Latin America due to the growing number of cyber attacks in the region. These attacks can cause significant disruptions to operations, loss of sensitive data and damage to companies' reputations. Investing in robust cybersecurity, such as regular backups, software updates and employee training, is essential to mitigate these risks.

In addition, a rapid and effective response to incidents can minimize negative impacts. Collaboration between organizations and governments in the exchange of threat information also strengthens collective defence. Protecting against ransomware is therefore vital to ensuring business continuity and data security in Latin America.

The ISH lists below the measures that can be adopted to mitigate the infection of this malware, for example:

Education and training

Make sure that all employees are aware of the risks of ransomware and know how to spot phishing attempts. Regular training programs can help keep staff up to date on the latest tactics used by cybercriminals.

Implementation of cyber security measures

Multi-factor authentication (MFA): Use MFA for all user accounts, especially those with access to sensitive information and critical systems.
Network segmentation: Divide the network into smaller segments to limit the spread of ransomware in the event of infection.
Principle of least privilege: Ensure that users only have the access they need to perform their tasks, minimizing the potential for privilege abuse.
Regular updates and patches: Keep all systems, software and devices up to date with the latest patches to correct vulnerabilities that can be exploited by attackers.
Data Backup: Make regular backups of all critical data and store them in secure locations isolated from the main network. Test backups regularly to ensure that they can be restored quickly in the event of an attack.
Cloud security: Use robust security practices for cloud environments, such as data encryption, strict access control and monitoring of cloud activities.

Monitoring and incident response

Continuous monitoring: Use monitoring tools to detect suspicious or anomalous activity on the network in real time.
Incident response plans: Develop and regularly test incident response plans to ensure a quick and effective response in the event of an attack.
Collaboration and information sharing: Participate in information-sharing networks and collaborate with other organizations and authorities to stay up to date on security threats and best practices.

MITRE ATT&CK - TTPs

Check out the most observed TTPs (Techniques, Tactics and Procedures) from these groups that have been presented in this security report.

TACTICS	TECHNICAL	DETAILS
Initial Access	T1566 T1078	Sending phishing emails with malicious links or attachments. Acquisition of compromised RDP and VPN accounts from early access brokers to gain access to the victim's network.
Execution	T1059	Use of PowerShell and other scripting tools to execute commands, modify registries and deploy additional malware in the victim's environment.
Persistence	T1053	Setting up scheduled tasks to ensure that the ransomware is executed after system reboots.
Privilege Escalation	T1548	Use of mechanisms to escalate privileges within the compromised system, allowing attackers to perform actions with elevated permissions.
Defense Evasion	T1070 T1112	Removing logs and other artifacts to avoid detection and hinder incident response. Modification of registry keys to change system settings and drop ransom notes.
Credential Access	T1110	Use of brute force attacks to compromise credentials, especially for RDP and VPN accounts.
Discovery	T1083	Enumeration of files and directories to identify sensitive data that can be encrypted or exfiltrated.
Lateral Movement	T1021	Use of remote services such as RDP to move laterally within the compromised network.
Collection	T1113	Screen capture to obtain sensitive information displayed on the victim's monitor.
Exfiltration	T1041	Data exfiltration through command and control channels (C2) out of the victim's network.
Impact	T1486	Encryption of critical data to extort ransoms from victims.

MITRE ATT&CK table

References

Heimdall by ISH Tecnologia
Google Trends

Tags: CYBERSECURITY, DIGITAL SECURITY, LATIN AMERICA, ATTACKS, CYBERSECURITY, CYBERSECURITY