Cyber Incident Victim: Associação de Advogados de São Paulo
Date:
Jan 2023
Location:
Brazil
Summary
A ransomware group claimed responsibility for an attack on a São Paulo lawyers' association, contradicting the victim's public denial of data exfiltration. The association initially stated no personal or institutional data leakage occurred, citing encrypted information and functional backups, but the threat actors subsequently published evidence including personal details and later released approximately 200 GB of files alongside additional compromised records.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 27, 2023, the Associação de Advogados de São Paulo (AASP), an association representing São Paulo lawyers, publicly acknowledged a cybersecurity incident via its Twitter account. The association did not disclose technical details of the attack but explicitly denied any data exfiltration had occurred. This denial was reiterated in a January 30 tweet, where AASP stated no leakage of personal or institutional data had been detected, emphasizing their use of encrypted data and full backups as protective measures against potential breaches. The ransomware group Ragnar_Locker contested these claims on February 22, posting a message titled "AASP claim there was no data leakage!" on their platform, accompanied by proof contradicting the association’s assertions. The threat actors published samples of compromised data containing personal information to substantiate their claim of a successful breach. AASP did not respond to inquiries from media outlets like DataBreaches.net and issued no further public statements addressing the attackers’ evidence or clarifying the discrepancy between their initial denial and the leaked materials.
The incident escalated when Ragnar_Locker updated their leak site shortly after initial media coverage, releasing approximately 200 GB of files allegedly exfiltrated from AASP’s systems, along with numerous screenshots displaying personal information. This data dump represented a significant expansion of the breach’s scope beyond the initial samples, directly challenging AASP’s repeated assurances about the security of their encrypted backups and the absence of data leakage. The association maintained silence following this development, offering no additional technical explanations, remediation updates, or acknowledgments of the published data. The lack of further communication left the extent of compromised systems, the method of initial intrusion, and the effectiveness of AASP’s encryption controls unaddressed in public records. Ragnar_Locker’s actions demonstrated a deliberate effort to discredit the victim’s narrative while amplifying pressure through the mass release of sensitive information, though no explicit ransom demands or timelines were disclosed in available sources.