BlueVoyant Observes Ransomware Uptick in Latin America

Ransomware has been on the rise in Latin America, according to BlueVoyant’s latest threat intelligence. In the past two months, there have reportedly been three successful attacks against major Latin American institutions: the government of Costa Rica (affecting multiple agencies), Secretary of State for Finance of Rio de Janeiro, and the Intelligence Agency of Peru. The attacks continue to have far-reaching effects.

This week, the attackers posted a threatening message to the Peru government, telling it the group will release files unless a ransom is paid.

On May 8, due to the ransomware attack, the Costa Rican Government declared a state of emergency.

The Current Ransomware Situation

The Costa Rica and Peru offensives are attributable to Conti, one of the most prolific and destructive ransomware operations. Conti has been operational in some form since at least 2017, and was recently subject to leaks after declaring support for Russia’s invasion of Ukraine. Conti quickly replaced that message with a softer-worded message. These leaks do not appear to have impacted Conti’s operational capacity. In that vein, BlueVoyant recently analyzed the Conti leaks and released a comprehensive report.

The Brazilian attack seems to be tied to a different ransomware group, named Lockbit.

Due to apparent non-cooperation by the Costa Rican government to pay ransom, Conti threatened to attack other Costa Rican organizations. In the messages, Conti made an oblique reference to assistance from the U.S. in responding to that attack; it’s unclear if it is referring to U.S. government assistance or a private response company.

While it appears that Conti did not encrypt the Peruvian intelligence agency's networks, it claimed to have exfiltrated large amounts of data. It also issued the typical (and risible) disclaimer that it has no political objectives; only financial ones, according to BlueVoyant’s threat research.

How to Protect Your Organization

To protect against ransomware, Latin America organizations and others around the globe should focus on improving their cyber defense posture. According to BlueVoyant’s threat intelligence, one way Conti and other attackers succeed is through compromised or misconfigured Virtual Public Network (VPN) connections. BlueVoyant has observed Latin American VPN credentials being traded among ransomware initial access brokers.

Download the report

In addition, organizations should conduct regular phishing testing and training. Ransomware threat actors and other groups make heavy use of this tactic to trick employees into clicking on links or opening attachments that are laden with malware.

Organizations should also add multi-factor authentication (MFA) to accounts and resources to make it harder for criminals to access networks. MFA requires users to provide two or more verification factors to gain access to an account or resource.

Another effective step is making sure that employees can only access documents and data they need, a practice called the principle of least privilege. Employees, systems, and other accounts should only be able to access the devices and documents needed to perform their duties. This minimizes the damage that can be done if a system is compromised.

In the end, taking even a few of these precautions will make it less likely that organizations will be impacted and can avoid ransomware.

Timothy Lehey is a senior analyst and investigative lead at BlueVoyant.