Cyber Incident Victim: Superior Tribunal de Justiça
Date:
Nov 2020
Location:
Brazil
Summary
A ransomware attack targeted Brazil's Superior Court of Justice during live judicial sessions, disrupting operations by encrypting case files, backups, and virtual machines. Attackers exploited a Domain Admin account to gain administrative access, forcing widespread system shutdowns to contain the infection and suspending all court services for multiple days. The RansomExx gang claimed responsibility, deploying payloads after compromising the network domain controller—consistent with their pattern of high-profile attacks involving data theft and lateral movement. Procedural deadlines were suspended, and personnel were warned against using network-connected devices. The incident mirrored an earlier attack on another state court using a related ransomware variant, highlighting systemic vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 3, 2020, during afternoon video conference judgment sessions, Brazil's Superior Court of Justice (STJ) experienced a ransomware attack that disrupted its information technology network. The court's Secretariat for Information and Communication Technology immediately initiated recovery efforts but was forced to shut down systems to contain the attack’s spread. Forensic analysis revealed attackers compromised a Domain Admin account, granting them access to administrative groups within the virtual environment, which they used to encrypt a significant portion of the court’s virtual machines, including case files and backups. The STJ website and internal systems remained offline for at least two days following the incident, with full restoration efforts ongoing. Court President Humberto Martins announced the suspension of all judgment sessions—virtual and video-based—until November 9, while procedural deadlines for administrative, civil, and criminal cases were paused from November 3–9, resuming November 10 under force majeure provisions. IT staff advised judges, interns, and outsourced personnel to avoid using any computers previously connected to the court network, including personal devices, to prevent further compromise. Concurrently, Brazilian journalist Mateus Nunes reported outages at multiple federal government agency websites, though linkage to the STJ attack remained unconfirmed.
The ransomware gang RansomExx claimed responsibility for the attack, evidenced by a ransom note recovered from an encrypted STJ system. RansomExx operators, known for high-profile attacks since rebranding from Defray777 in mid-2020, typically compromised victims’ domain controllers to deploy ransomware across networked devices while exfiltrating unencrypted sensitive documents. In a message to BleepingComputer, the gang demanded the court send an encrypted file for decryption proof before proceeding with negotiations, though STJ officials did not publicly acknowledge engagement. Investigators linked the attack to an earlier October 27 incident at Pernambuco State Court of Justice (TJPE), where RansomExx encrypted files using the “.tjpe911” extension. The STJ attack caused operational paralysis, forcing the court to operate on reduced “duty” status until November 9, with contingency plans subject to revision based on restoration progress. No data leak or payment details were disclosed in official statements, leaving the full scope of data theft and financial demands unaddressed by authorities.