Rio de Janeiro’s finance department hit by LockBit ransomware

By Jerrell C. Esser Last updated Apr 23, 2022

Rio de Janeiro’s Secretary of State for Finance confirmed on Friday that it was facing a ransomware attack on its systems.

Ransomware group LockBit claimed to have attacked systems connected to government offices, stealing around 420 GB. The group threatened to release the stolen data on Monday.

In a statement to The Record, a spokesperson for Rio de Janeiro’s Secretary of State for Finance said they contacted the law enforcement agency that handles digital crimes in Brazil after being threatened by a cybercriminal who hacked into their systems.

“In the threat, sent this Thursday, the attacker demands payment for withholding allegedly stolen data from Sefaz-RJ’s systems. This data would correspond to only 0.05% of the data stored by the Secretariat,” the spokesperson said.

Rio de Janeiro has the second largest GDP of any city in Brazil after São Paulo and is home to the headquarters of several state-owned companies, including Petrobras, Eletrobras, Caixa Econômica Federal, National Bank for Economic and Social Development, and Vale.

It is one of the financial heartlands of South America, with its economy ranking 30th in GDP among all cities in the world. The city exported $32.5 billion worth of goods in 2021.

The Undersecretariat for Information and Communications Technology (SUBTIC) told The Record it had offered to work with the police on the investigation.

“Since 2020, [SUBTIC] prioritized strengthening information security, which can be proven by the low impact of the attack,” the spokesperson said.

“It is the result of the effectiveness of the actions that have been adopted.”

A ransomware tracker maintained by researchers at Recorded Future, which owns The Record, indicated that LockBit was the second most prolific ransomware gang in 2022 after Conti. They have attacked at least 650 organizations so far this year, according to the data.

The Australian Cyber Security Center (ACSC) issued a security advisory last August warning of a sudden spike in LockBit ransomware attacks.

The group has been operating since September 2019 and was a fringe player before developing a new version of their Ransomware-as-a-Service platform, called LockBit 2.0.

With the demise or retirement of competitors like Darkside, Avaddon, and REvil, LockBit has become one of the most common RaaS platforms.

Jonathan has worked around the world as a journalist since 2014. Before returning to New York, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.