Cyber Incident Victim: Sicoob
Date:
Jun 2024
Location:
Brazil
Summary
A Brazilian credit cooperative system experienced a ransomware attack by the RansomHub group, which leaked stolen data on the dark web containing sensitive documents such as NDAs, personal client and employee information, financial records, source code, and databases. The attackers claimed access to internal vulnerabilities and threatened further leaks unless demands were met, though the published data volume appeared smaller than initially advertised. The organization confirmed the cyber incident affected a local cooperative's environment but stated core financial systems remained uncompromised, with operations continuing normally across all branches. Investigations into the full scope are ongoing with relevant authorities. RansomHub, suspected to be a rebranded variant of the Knight ransomware with potential Russian ties, operates as a ransomware-as-a-service entity and has rapidly expanded its activities since emerging earlier this year.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 1, 2024, the RansomHub ransomware group claimed responsibility for a cyberattack against SICOOB, a Brazilian credit cooperative system comprising 334 member cooperatives. The attackers began leaking stolen data on the dark web during the same week, providing access to 26 directories containing 676 files. Cybersecurity publication CISO Advisor analyzed the leak, noting the data volume fell significantly short of the 1 TB claimed by RansomHub and appeared to originate from an employee or management workstation. One directory bore an individual's name, while only one folder referenced financial matters. The leaked material included confidential documents related to legal proceedings, though most directories showed no apparent connection to financial operations. On June 24, SICOOB confirmed a localized cybersecurity incident affecting one cooperative's environment after RansomHub published documents identifying Unicentro BR, a GoiĆ¢nia-based member cooperative. The attackers issued a 72-hour ultimatum threatening further data leaks, claiming possession of non-disclosure agreements, client and employee personal data, financial records, IT source codes, databases, and internal departmental reports. RansomHub asserted SICOOB's network contained multiple vulnerabilities enabling control over corporate processes and warned that client funds remained at risk of theft.
SICOOB responded that financial transactions for all cooperatives and members were processed through infrastructure separate from the compromised systems, maintaining operational integrity. The institution confirmed all 4,639 service locations across 2,396 municipalities continued normal operations through physical and digital channels, serving 8 million members including 401 cities where it operates as the sole financial institution. Forensic investigations into the incident's full scope remained ongoing with relevant authorities. Security firm Viva Security identified RansomHub as an emerging ransomware-as-a-service operation likely derived from the earlier Knight ransomware, noting its rapid expansion since first observed attacks in February 2024. Researchers cited potential Russian connections based on the group's target exclusion patterns, though its exact origins remained unverified. The cooperative maintained that no evidence indicated compromise of core financial systems while continuing to assess potential impacts from the localized breach.