Cyber Incident Victim: Light S.A.

On July 3, 2020, cybersecurity researchers reported that Brazilian electrical energy company Light S.A. suffered a ransomware attack attributed to the Sodinokibi group (also known as REvil). The attackers demanded a $14 million ransom, payable in 106,870.19 Monero (XMR) cryptocurrency by June 19, 2020, with the threat of doubling the demand to 215,882.8 XMR if unpaid. Light S.A. confirmed the attack to a local newspaper but withheld technical details about the breach and the specific ransomware variant involved. Security firm AppGate analyzed a malware sample connected to the incident, identifying it as Sodinokibi ransomware through technical fingerprinting. The analyzed binary exhibited packing techniques and exploited CVE-2018-8453 vulnerabilities in both 32-bit and 64-bit environments, indicating sophisticated exploitation methods.

The ransomware incorporated a geographical whitelisting feature to avoid execution in certain regions. Attackers provided a payment portal with support chat functionality and instructions for decryption, emphasizing that recovery required their private key as no universal decryptor existed. Light S.A.'s corporate website became inaccessible during the attack timeline, though the exact relationship between this outage and the ransomware incident wasn't explicitly confirmed. The company did not disclose whether systems beyond web services were affected, nor did it reveal operational impacts, response timelines, or negotiation status with the threat actors. Public evidence suggested Light S.A. submitted the malware sample to an online sandbox for analysis, demonstrating engagement with external cybersecurity resources during the incident.