Some Latin American countries may present as easy targets for ransomware attackers due to a general deficit of cyber resources, specifically education, hygiene and overall infrastructure, an analysis from Recorded Future’s Inskit Group said Thursday.
The situation in many of these countries is such that ransomware attacks on local, provincial or federal government entities “could constitute a credible national and geopolitical security risk,” the researchers conclude.
A definitive attack vector could not be assessed in each case. But the “most likely” avenue in many of the cases was some combination of compromised valid credential pairs and session cookies, which are harvested from a successful infostealer infection and sold by initial access brokers on dark web forums, the researchers said.
Anecdotal observations by Recorded Future reflect a “minor” but “sustained increase” in references to initial access sales and database leaks related to Latin American governments starting in around March 2022, the researchers note.
“We have also identified a significant increase in Q1 2022, beginning in February 2022, of references to domains owned by government entities in [Latin America] on dark web shops and marketplaces such as Russian Market, Genesis Store, and 2easy Shop, relative to the same time period in 2021,” they added, although further research and analysis is needed to determine whether there’s a causal link between the increased references and actual ransomware attacks.
The analysis notes the recent high-profile actions taken by the Costa Rican government after Conti, a prolific ransomware crew in the midst of rebranding, attacked the country beginning on April 17. The crew first demanded $10 million, then the ransom doubled to $20 million, with Conti posting messages urging the people of Costa Rica to march in the streets, overthrow the government, and demand the ransom be paid.
The U.S. State Department announced a $10 million reward for information on Conti leadership figures in the wake of the attack. Two days later Costa Rica made history by becoming the first country to declare a national emergency as a result of a ransomware attack.
That attack was followed shortly after with the announcement from the crew that it was also connected to an attack on Peru’s intelligence agency. “Have a nice day!” the May 7 announcement read, which included 9.41 gigabytes of data from the agency.
These were just two in a string of ransomware attacks across Central and South America between January and May 2022. Including the attacks in Costa Rica and Peru, ransomware attacks have been logged in Mexico, Ecuador, Brazil and Argentina. Ransomware crews such as ALPHV, LockBit 2.0 and BlackByte have been active in the region, the researcher note.
These attacks follow a rash of attacks in 2021, “a year in which Latin America has seen an explosion in ransomware attacks,” according to InSight Crime, a news organization focused on criminal activity in Latin America.
“Ransomware will likely continue to be incorporated into the attack methods of threat actors targeting public and private entities in [Latin America] due to their availability as ransomware-as-a-service (for non-technical threat actors) and highly successful infection rates,” the researchers concluded. Latin America generally is an “up-and-coming region whose security posture is not as sophisticated or developed as some other regions for various reasons (geopolitical circumstances and developing infrastructure, among others),” and therefore “threat actors may view [Latin American] entities as easy targets for harvesting sensitive and financially lucrative accounts via infostealer infections.”