Cyber Incident Victim: Secretary of State for Finance of Rio de Janeiro
Date:
Apr 2022
Location:
Brazil
Summary
The Secretary of State for Finance of Rio de Janeiro suffered a ransomware attack by the LockBit group, which claimed theft of approximately 420 GB of data and threatened its public release unless payment was made. The attackers demanded ransom to prevent disclosure of allegedly compromised data, though officials stated this represented only a small fraction of stored information. Authorities engaged law enforcement and digital crime units to investigate the breach, while the Undersecretariat for Information and Communication Technology emphasized prior security enhancements that limited the incident's impact. LockBit, a prominent ransomware-as-a-service operation, escalated its activities following the decline of competing groups, positioning itself among the most prolific threats during this period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 8, 2022, the Secretary of State for Finance of Rio de Janeiro (Sefaz-RJ) publicly confirmed it was responding to a ransomware attack after the LockBit group claimed responsibility. The cybercriminals asserted they had exfiltrated approximately 420 GB of data from systems connected to the government offices and threatened to release the stolen information on April 11 unless payment was made. Sefaz-RJ disclosed that the attackers sent a threat on April 7 demanding payment to prevent data disclosure, characterizing the compromised data as representing only 0.05% of the agency’s total stored information. The Secretary immediately engaged Brazilian law enforcement authorities specializing in digital crimes to investigate the breach. No details regarding operational disruptions, encryption of systems, or specific ransom demands were disclosed in official statements.
Rio de Janeiro, as Brazil’s second-largest economic hub with a GDP ranking 30th globally among cities, faced heightened scrutiny due to the attack’s potential implications for its financial infrastructure and state-owned enterprises. The Undersecretariat for Information and Communication Technology (SUBTIC), responsible for the agency’s cybersecurity, collaborated with law enforcement on the investigation and emphasized its ongoing security initiatives since 2020 as a mitigating factor. SUBTIC attributed the attack’s “low impact” to these preexisting measures, though technical specifics about detection methods, containment actions, or data types stolen were not provided. LockBit, identified by Recorded Future as 2022’s second-most active ransomware operation behind Conti, had already compromised over 650 organizations globally by that time, leveraging its Ransomware-as-a-Service platform LockBit 2.0. The Australian Cyber Security Centre had documented a surge in LockBit activity months prior, noting the group’s increased prominence following the decline of competing operations like REvil and DarkSide. Sefaz-RJ did not confirm whether data was leaked after the April 11 deadline or disclose any financial losses or recovery timelines resulting from the incident.