Cyber Incident Victim: Tribunal de Justiça do Estado do Rio Grande do Sul
Date:
Apr 2021
Location:
Brazil
Summary
The Tribunal de Justiça do Estado do Rio Grande do Sul experienced a disruptive REvil ransomware attack that encrypted employee files and rendered documents and images inaccessible, prompting immediate network shutdowns. Ransom notes appeared on Windows desktops, and the court system advised staff against local or remote access to its networks via official communications. Internal discussions among employees and audio recordings described severe operational chaos, with IT personnel reportedly overwhelmed while attempting device restoration. This incident followed a prior ransomware attack on Brazil’s Superior Court of Justice by the RansomEXX gang, which similarly disrupted court activities, including live video sessions, highlighting recurring cybersecurity challenges within the country’s judicial infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 28, 2021, Brazil’s Tribunal de Justiça do Estado do Rio Grande do Sul (TJRS) experienced a disruptive ransomware attack attributed to the REvil operation. The incident began in the morning when employees discovered they could no longer access documents and images across their systems. Ransom notes appeared on Windows desktops, explicitly identifying the attackers. TJRS administrators promptly detected the encryption activity and responded by publicly advising staff via the court’s official Twitter account to avoid logging into TJ network systems locally or remotely to limit further compromise. The tweet cited system instability and relayed the security team’s directive. Security researcher Brute Bee provided evidence of internal discussions among employees, including shared screenshots of the ransom notes and audio recordings describing the chaotic response. In one recording, a witness characterized the event as "horrible" and "the worst thing that ever happened there," noting IT staff exhibited signs of extreme stress while attempting to manage the crisis.
The attack forced TJRS to shut down its entire network to contain the ransomware’s spread, severely disrupting court operations. REvil’s encryption rendered critical files inaccessible, requiring IT teams to prioritize restoring thousands of affected devices. The incident mirrored a November 2020 ransomware attack against Brazil’s Superior Court of Justice by the RansomEXX gang, which had similarly disrupted live court sessions and government websites. While the TJRS attack did not explicitly mention data theft or secondary impacts like leaked information, its operational consequences were immediate and severe, halting workflows and demanding extensive recovery efforts. No details regarding ransom demands, payments, or decryption success were disclosed in available reports. The court’s public communications remained limited to initial incident notifications and access restrictions, with no subsequent updates on restoration timelines or long-term effects on judicial activities.