Brazilian cyber gangs are increasingly stealing data and holding it for ransom, and getting ahead of law enforcement, which is struggling to keep up with an explosion of cyber crimes.
Cybersecurity incidents hit record monthly highs in January and April of this year, according to Brazil’s federal cybersecurity agency.
Recent targets have included major financial institutions with cybersecurity capabilities beyond those of the average Brazilian business. On July 1, a group going by the name of RansomHub, began leaking stolen information from Brazil’s Financial Co-operative System (Sistema de Cooperativas Financeiras do Brasil – Sicoob) a week after Sicoob announced it had been hacked and its data were being held hostage.
The first months of 2024 broke records for the amount of cybersecurity incidents
Number of incidents tracked by the government (Jan 2020 – Jun 2024)
A massive and increasingly online economy, Brazil has become a major target for cybercriminals at home and abroad.
Almost half of the attacks Brazil’s government has detected so far in 2024 involved some sort of data being leaked. With banking, healthcare, education, and so many other industries now taking place online, data is increasingly valuable – and vulnerable.
SEE ALSO: US Crypto Money Laundering Indictment Reflects Increased Enforcement Efforts
One of the biggest threats has been stealer software, which is malware designed to grab people’s login information and other credentials. Brazil is subject to more attacks involving stealer software than any other country in the world, according to cyber threat intelligence company SOCRadar.
Another strategy involves using ransomware to lock up an organization’s data with unbreakable encryption. Either the victims pay to restore their access, or – as in Sicoob’s case – the data gets leaked.
“Today, data is gold,” said Daniela Dupuy, cybercrime prosecutor and director of Argentina’s Observatory of Cybercrime and Digital Evidence for Criminal Investigations (Observatorio en Cibercrimen y Evidencia Digital en Investigaciones Criminales – OCEDIC).
Brazil’s Cybercrime Groups
Cyber criminals often combine specialties, with different members focusing on writing malware, building fake websites, or laundering money. Operating online brings additional challenges to identifying those responsible for cyber attacks, but researchers and law enforcement have been able to identify several groups based in Brazil.
Identifying a group requires collecting digital breadcrumbs until there are enough different connections to show that a specific group is operating together. The type of malware used, the tactics, what targets they go after, usernames, and hours of operations are all analyzed to find unique identifiers that characterize a group – a process that may take years of data collection and analysis.
One prominent Brazilian group is UNC5176. This group has primarily attacked financial institutions, targeting banks throughout Latin America as well as in Spain, according to a report by Google’s Threat Analysis Group (TAG) and cybersecurity firm Mandiant.
UNC5176 uses a specific type of malware called the URSA Trojan or Mispadu. When victims click a link on a fake website or malicious email, the malware installs itself. The program then steals login credentials from the victims’ browsers or creates fake pop-ups when a victim visits a banking site, tricking the user into inputting their banking information, which is then sent to a server in Brazil controlled by the cyber gang.
SEE ALSO: How Russian Cybercrime Group, Conti, Terrorized Latin America and Vanished
A similar malware called Grandoreiro has been making the rounds throughout Brazil. Though multiple groups often use the same malicious software, Grandoreiro has been spreading throughout the region in part due to a group known as FLUXROOT, according to TAG and Mandiant’s analysis.
Then there’s PINEAPPLE, a cybercrime group that impersonates Brazil’s federal tax service. The group has sent fake emails that appear to come from an official government address and created a clone of the department’s website to trick victims into installing malicious software.
While the world of cybercrime is often associated with the dark web, Brazilian groups often operate more above ground.
“Brazil has always had a very kind of unique cyber criminal community,” Luke McNamara, deputy chief of analysis at Mandiant, told InSight Crime. “It’s a lot more Telegram and WhatsApp based, which I think is also unique because it provides a little bit more ease for new membership.”
Brazil’s cyber incidents have overwhelmingly involved data leaks so far in 2024
Number of incidents tracked by the government (Jan – May 2024)
Hunting Ghosts
The remote nature of cyber crimes allows criminal groups to reach victims from afar while law enforcement struggles to identify, locate, and arrest the perpetrators.
The transnational nature of these crimes creates major jurisdictional and cooperative hurdles. UNC5176, for example, has targeted victims in Mexico and Spain, siphoning their data to a server in Brazil. This demands cooperation between law enforcement on different continents and from different government agencies speaking different languages, and operating under different laws and constraints.
Even when the criminals and victims are in the same country, investigations can have a transnational component. Companies regularly use cloud services, where their data is stored on hardware in remote centers, which can complicate the evidence-gathering process.
“Digital evidence … is held by the private sector. They all have their companies or their headquarters abroad, and that’s where they have all the evidence that a prosecutor needs to investigate,” Dupuy said.
SEE ALSO: Digital Wild West: Latin America Unprepared for Crypto-Crime
Digital information is also constantly being written and deleted, with cybercriminals adding new elements to hide their tracks.
“It’s much easier for electronic evidence to be totally destroyed than physical evidence,” Dupuy said.
Brazil has made efforts to bolster its capacity against cybercrime in recent years. The Federal Police launched a specialized unit in 2022 focused on the most complex cyber threats. But it continues to lag behind many of its peers, and came second-to-last out of 20 major countries in terms of cybersecurity policies, according to the MIT Technology Review’s latest Cyber Defence Index.
Prevention is a further struggle. With a lot of the stealer software evading antivirus scans and relying on fooling victims into installing the malware, authorities have limited options in what they can do to stop the scams before they have already made the rounds.
At the same time, the growing awareness of organized cybercrime has pushed many companies to invest in bolstered protections. Cyber threats are now second only to climate change in risks backing businesses in Brazil, according to the Allianz Risk Barometer. And companies are increasingly investing in proactive testing of their cybersecurity defenses to seek out vulnerabilities before criminals find them.