Ransomware Gangs and Hacktivists

Find the original publication here.

Disclaimer: The information presented in this StoryMap is based on various sources and research materials developed by the author. For detailed references, readers are encouraged to consult the original publication.

Cybersecurity has become a critical concern in Latin America due to the rapid increase in cyber threats. The region's cybersecurity market is expected to grow from $8.92 billion USD in 2024 to $12.48 billion USD by 2029, with a compound annual growth rate of 6.95%. Latin America is an attractive target for cybercriminals, with an estimated 12% of global cyberattacks occurring in the region. Brazil, Mexico, and Argentina are among the most affected countries, with government agencies, industrial companies, and financial institutions being the primary targets. The impact of these attacks is significant, with 61% resulting in confidential government information leaks and 52% causing operational disruptions. The malware success rate in Latin America is 79%, considerably higher than the global average of 53%. Webshell, Bondat, and Coinminer are among the most detected malware types, while WannaCry remains a prominent ransomware threat. The annual cost of cyberattacks in Latin America is projected to exceed $90 million USD by 2025, with an average of more than 18.5 million attacks per year. Despite these challenges, many Latin American countries lack comprehensive national cybersecurity policies and strategies. Only 7 out of 33 countries in the region have plans to protect their critical infrastructure against cyberattacks, and only 20 have Computer Security Incident Response Teams (CSIRTs). This lack of preparedness, combined with insufficient governmental responses, has led to Latin America being categorized as a 'gray area' in global cybersecurity.

Ransomware gangs and hacktivist groups, such as APLHV/BlackCat, LockBit 2.0, and Guacamaya, have emerged as the main culprits in cyberattacks targeting government institutions in the region.

Social Network Analysis (SNA) was applied to investigate the operational dynamics of several ransomware gangs and a hacktivist group active in Latin America. The study focused on APLHV/BlackCat, Conti, LockBit 2.0, SiegedSec, BlackHunt, and the hacktivist group Guacamaya.

Data collection involved multiple cybersecurity-specialized sources, including grey literature, technical reports, news articles, researchers' blogs, and ransomware incident databases. The researchers ensured data integrity and accuracy through source triangulation.

The analysis process involved coding the collected data to standardize entity names and relationships, creating a structured database for analysis. Key network metrics such as centrality, density, and modularity were calculated to identify important nodes and understand the network structure and dynamics. This approach allowed for a comprehensive examination of the relationships and operational patterns within these cybercriminal groups.

For ransomware gangs, nodes were classified into the following variables:

1. Target: Represents the specific entities attacked by the ransomware gangs. Examples include government institutions, companies, etc.
2. Country: Indicates the countries in which the target entities of the attacks are located.
3. Tactic: Refers to the techniques employed by the ransomware gangs, such as data encryption and data exfiltration.
4. Impact: Describes the effects of the attacks, including service interruption and data loss.
5. Recovery: Includes actions taken to restore the affected systems and services.
6. Time: Estimated time for recovery after the attack.
7. Cost: Financial costs associated with the recovery from the attacks.
8. Size: Size of the impact of the attack in terms of compromised data or systems.
9. Severity: Degree of severity of the attack.
10. Ransom: Information about the ransom demanded and paid.

For the hacktivist group Guacamaya, nodes were classified into the following variables:

1. Hacktivist: Represents the group Guacamaya.
2. Institution: Includes government institutions and corporations exposed by the hacktivists.
3. Media: Media outlets that have reported or disseminated the leaked information.
4. Individual: Specific individuals involved in the leaks, both victims and perpetrators.
5. Justice: Judicial and law enforcement entities related to the leak cases.
6. Country: Countries where the target entities of the leaks are located.

The results of the SNA provided a clear view of the operational dynamics of ransomware gangs and the hacktivist group. While ransomware gangs such as APLHV/BlackCat, Conti, and LockBit 2.0 operate with financial motivations, using extortion and data encryption tactics, the Guacamaya group pursues ideological objectives, seeking to expose corruption and promote social justice through the leak of sensitive information. This differentiation in motivations and tactics is crucial for the development of effective cybersecurity strategies and incident response plans.

ALPHV/BlackCat has emerged as one of the most sophisticated and dangerous ransomware groups, particularly active in Latin America. The group debuted in late 2021, quickly gaining notoriety for its innovative use of the Rust programming language, which enhances its ransomware's efficiency and complicates security researchers' efforts. Operating on a Ransomware-as-a-Service (RaaS) model, ALPHV has expanded its reach by allowing affiliates to use its infrastructure in exchange for a share of the profits. In Latin America, ALPHV typically initiates attacks by exploiting vulnerabilities in widely used software applications, such as VPN servers and remote desktop services (RDP). Once inside a network, the attackers deploy tools for privilege escalation and lateral movement to gain complete access to critical systems. A hallmark of ALPHV's strategy is the exfiltration of data before encryption, ensuring that victims face the threat of public disclosure of confidential information even if they can restore their data from backups. ALPHV has targeted a wide range of sectors in Latin America, including government services, healthcare, and education. Notable attacks include the compromise of the Ecuadorian Army's critical systems and the attack on Price Smart in Costa Rica. These incidents have caused significant operational disruptions, compromised sensitive data, and demonstrated the group's ability to quickly adapt to their targets' defenses. In response, U.S. agencies like CISA and the FBI have issued specific recommendations to mitigate ALPHV/BlackCat threats, emphasizing proactive cybersecurity measures such as robust backup strategies, continuous system updates, and regular cybersecurity training for personnel, thereby increasing awareness of common attack methods such as phishing. The agencies also suggest continuous network monitoring for suspicious activities and the implementation of incident response capabilities that allow for quick reactions to any detected threats.

Furthermore, the adoption of multi-factor authentication (MFA) for all accounts, especially those with access to critical systems, is recommended. Collaboration with authorities and the immediate reporting of any ransomware incidents are also crucial actions to help stop the spread and impact of future attacks by ALPHV/BlackCat.

Moreover, the private sector has developed specific tools and services to detect and mitigate ALPHV attacks. Endpoint detection and response (EDR) technologies and security information and event management (SIEM) solutions can identify behavioral patterns associated with ALPHV, enabling a faster and more effective response.

LockBit 2.0 has established itself as one of the most prominent and effective ransomware threats globally, with a significant impact on Latin America. The ransomware employs sophisticated tactics to compromise its targets, including exploiting vulnerabilities in widely used software, using advanced tools for privilege escalation and lateral movement, and employing a double extortion approach. LockBit 2.0 stands out for its ability to quickly identify and exploit new vulnerabilities, its efficiency in network infiltration, and its focus on data exfiltration before encryption. Operating under a Ransomware-as-a-Service (RaaS) model, LockBit 2.0 offers its affiliates a user-friendly toolkit and continuous support, enabling even inexperienced cybercriminals to carry out effective attacks. The ransomware incorporates various techniques to evade detection, including code obfuscation, detection of virtual environments and sandboxes, and continuous updates to enhance its evasion capabilities. Since December 2021, LockBit 2.0 has targeted a wide range of sectors in Latin America, causing significant disruptions and compromising sensitive data in countries such as Brazil, Mexico, Ecuador, Argentina, and Costa Rica. Responses to LockBit 2.0 attacks in Latin America have varied, generally involving the mobilization of incident response teams and collaboration with international cybersecurity agencies. CISA and the FBI have issued multiple alerts and guidelines on how to protect against LockBit 2.0, recommending the implementation of advanced security solutions, continuous staff training, and the adoption of incident response strategies. For containment, the use of endpoint detection and response (EDR) technologies and security information and event management (SIEM) solutions is crucial to identify behavioral patterns associated with LockBit 2.0 and allow for a rapid and effective response to security incidents.

BlackByte is a sophisticated ransomware group that targets corporate and governmental networks using a multi-step attack process. They typically gain initial entry through phishing emails containing malicious attachments or links, as well as by exploiting known vulnerabilities in systems. Once they infiltrate a network, they install backdoors for remote access and use advanced tools to move laterally through the network while conducting thorough reconnaissance. A key part of BlackByte's strategy is stealing sensitive data before encryption, which serves as leverage during ransom negotiations. The group threatens to publish this data if their demands are not met. The final stage of their operation involves disabling security systems, encrypting critical files using strong algorithms, and leaving a ransom note with payment instructions. They may also provide samples of the stolen data as proof of their access to sensitive information. BlackByte has successfully targeted several Latin American entities, including the Office of the Comptroller General of Peru in May 2022, where they accessed and partially published sensitive government data. Other notable attacks include the Banco de Brasil, where critical data was exfiltrated and services disrupted, and the Court of Justice of Rio Grande do Sul, which experienced a complete lockdown of its applications and databases. In Mexico, the Municipality of Chihuahua was compromised, resulting in significant data loss and disruption of essential municipal services. These incidents highlight BlackByte's ability to infiltrate critical infrastructure and government networks across the region, exposing cybersecurity vulnerabilities that need to be addressed.

SiegedSec is a hacktivist group that emerged during the Russian invasion of Ukraine in early 2022, quickly establishing itself as a prolific data leaker. Led by a hacktivist known as "YourAnonWolf," the group has rapidly expanded its operations, targeting countries across the globe including the United States, Colombia, India, China, Belgium, Indonesia, South Africa, the Philippines, Italy, and Taiwan. Their attacks have primarily focused on sectors such as government, telecommunications, finance, professional services, manufacturing, insurance, healthcare, and retail. In Mexico, SiegedSec launched a series of high-profile attacks against major telecommunications companies associated with Grupo Televisa, the country's largest media conglomerate. On January 15, 2023, they used ransomware tactics to compromise critical data and disrupt services at Televisa. This was followed by attacks on BesTel on February 10 and Izzi Telecom on March 20, both resulting in service disruptions and data breaches. These attacks demonstrated SiegedSec's ability to target and impact major corporations in Latin America. SiegedSec's operations extend beyond Mexico, as evidenced by their significant attack against the Colombian government on May 30, 2023. This attack, aimed at compromising sensitive government data, was a direct response to government policies and showcased the group's capacity to conduct large-scale operations across different Latin American countries. The group's tactics, particularly their use of ransomware, highlight their strategy of causing maximum disruption and extracting concessions from their targets. By encrypting critical data and threatening to publish sensitive information, SiegedSec aims to force cooperation and potentially obtain resources to further their ideological causes.

BlackHunt is a sophisticated ransomware variant that has evolved significantly since its emergence in 2022. Initially targeting small and medium-sized businesses, it has developed more advanced capabilities to attack high-profile targets, including government entities. BlackHunt's modus operandi focuses on data encryption and exfiltration of critical information, typically beginning with phishing emails to gain access to internal networks. Once a system is compromised, the ransomware encrypts critical files and extracts sensitive data, which is then used to demand ransoms and threaten disclosure. Paraguay has been one of BlackHunt's primary targets in Latin America, with attacks affecting both private companies and government entities. In a significant incident, BlackHunt compromised approximately 300 companies in Paraguay across critical sectors such as telecommunications, finance, and manufacturing. The Ministry of Defense was also attacked, disrupting critical services and compromising sensitive national security data. In Argentina, BlackHunt has mainly targeted government entities and key sectors like finance and healthcare, affecting several ministries and public agencies, including the Ministry of Health and the Ministry of Finance. Recovery from a BlackHunt attack is often complex and costly, with estimates ranging from $1 million to $5 million depending on the extent of the damage. Prevention and mitigation strategies require a multifaceted approach, including regular software updates, implementation of advanced detection and response solutions, employee training, regular backups, and network segmentation. These measures can help minimize the impact of an attack and allow organizations to quickly restore operations without paying the ransom.

The Conti Group emerged in late 2019 as one of the most notorious and aggressive ransomware gangs in Latin America, particularly impacting Costa Rica. Known for its double extortion tactics, Conti not only encrypts victims' data but also threatens to publish sensitive information if ransoms are not paid. The group's effectiveness stems from its sophisticated infrastructure and rapid attack execution, affecting various industries and governments across the region. Latin America has been a frequent Conti target due to high vulnerabilities and lack of cybersecurity preparedness in many organizations. In 2022, Costa Rica became a prominent Conti target, suffering a series of attacks that paralyzed essential government services. The attacks began in April when the Ministry of Finance was hit, compromising critical fiscal and financial data and disrupting tax collection. In May, the Ministry of Education and Social Security were also attacked, compromising patients' personal and medical data and affecting hospital operations. Faced with this cascade of attacks, President Rodrigo Chaves declared the country "at war" against Conti and implemented a national emergency state to address the threat. This allowed for mobilization of additional resources and improved international cooperation in cybersecurity. Conti's ransomware is characterized by strategic victim selection, sophisticated encryption methods, and evasion techniques. The group often exploits known software vulnerabilities or uses phishing campaigns to gain initial access. Their ability to move laterally within compromised networks allows them to maximize damage before detection. The impact of Conti's attacks in Latin America has been profound, forcing affected organizations to invest significantly in recovery and improved cyber defenses. In Costa Rica, the attacks led to a national cybersecurity emergency declaration. Other Latin American countries like Argentina and Colombia have also suffered Conti attacks on their healthcare and telecommunications sectors. These incidents have highlighted the urgent need to improve cyber defenses across the region and have prompted governments to reconsider their cybersecurity strategies and increase international collaboration.

The hacktivist group Guacamaya has emerged as a significant actor in the cybersecurity landscape of Latin America, carrying out high-profile operations against governments and state entities. Their activities have exposed questionable government practices and had significant repercussions on human rights issues, freedom of expression, and government transparency in the region. Guacamaya has focused its attacks on several Latin American countries, including Mexico, Chile, Colombia, Guatemala, and Brazil, typically infiltrating government systems and leaking sensitive documents. The group's primary motivation is to denounce corruption, abuse of power, and human rights violations perpetrated by states. Their leaks have profoundly impacted public perception of human rights in the region, often revealing systematic violations and questioning the legitimacy of governmental actions. In many cases, governments have been forced to launch internal investigations to determine the source of the leaks and improve their cybersecurity policies. In Mexico, Guacamaya conducted one of its most impactful operations by infiltrating the systems of the Secretariat of National Defense (SEDENA), resulting in a leak of approximately 6 terabytes of data. This data included emails and internal documents detailing security projects and communications between high-ranking officials, revealing SEDENA's involvement in espionage activities against journalists and activists. The leaks prompted public outrage and scrutiny, leading President Andrés Manuel López Obrador to address the implications while also facing scrutiny regarding his own sensitive information that was leaked. The repercussions in Mexico varied, with the National Institute of Transparency considering an investigation, while SEDENA showed resistance to transparency by postponing meetings with legislators.

In Chile, Guacamaya targeted the Joint Chiefs of Staff, exposing over 400,000 sensitive emails that revealed exorbitant military expenses and monitoring of social organizations. The political fallout included the resignation of the Chief of Staff and a review of protest control policies, emphasizing the need for more transparent strategies. The Chilean response was more proactive compared to Mexico, with immediate measures to address the implications of the leaks in the country's Congress and ensure the integrity of security institutions. The exposure of these emails not only affected public trust in the armed forces but also highlighted the importance of oversight and control over state surveillance activities.

In Colombia, Guacamaya leaked critical data from the Attorney General's Office and the General Command of the Military Forces, jeopardizing the security of undercover agents and revealing connections to the Odebrecht scandal, which increased public distrust in justice institutions. Additionally, the leaks revealed contacts between the Attorney General's Office and high-ranking officials involved in the Odebrecht scandal, contradicting official statements denying such connections. This revelation has questioned the transparency and integrity of justice institutions in Colombia, increasing public distrust of these entities. The leaks have also exacerbated tensions between Colombia and the United States, a strategic ally in the fight against drug trafficking. Disclosing sensitive joint operations information and judicial assistance requests has jeopardized bilateral cooperation on security and justice issues. The lack of adequate data protection measures has highlighted the urgent need to improve cybersecurity policies in Colombia to prevent future leaks and protect sensitive information.

In Guatemala, Guacamaya Guacamaya exposed critical information related to the Fenix Project, a mining venture operated by the Solway Group, a Russian conglomerate. The leaks revealed the Fenix Project's connection to corrupt practices and human rights violations, including allegations of bribery and violent repression of local opposition. These revelations highlighted the complicity between mining corporations and state security forces in repressing indigenous communities opposing mining operations. The environmental impact of the Fenix Project was also a central issue in the leaks. The information revealed unsustainable practices and a lack of adequate measures to mitigate environmental damage, exacerbating tensions with local communities and environmental activists. The disclosure of these issues underscored the need for stricter regulations and greater corporate responsibility to protect the rights and well-being of affected communities.

In Peru, primary target of the leaks was the Joint Command of the Armed Forces (CCFFAA). In total, about 100 gigabytes of data were leaked, representing about 283,000 emails, severely affecting public perception of national security and the integrity of Peruvian armed institutions. Among the exposed data were intelligence reports containing details about the surveillance of leftist political parties and social organizations, considered by the armed forces as threats to the democratic state. The affected organizations and parties include Patria Roja, Frente Amplio, Tierra y Libertad, and other entities labeled as "front organizations" of the Shining Path, an armed group that unleashed violence in Peru during the 1980s and 1990s. A critical aspect of the leaks was the revelation of alleged links between the Peruvian Army Weapons and Ammunition Factory (FAME) and the trafficking of ammunition to Ecuador and Colombia. Although FAME has denied these accusations, the leaks cast doubt on the integrity of the institution's operations and highlighted the need for greater oversight and control over the production and distribution of weaponry. Another sensitive issue revealed in the leaks was the Peruvian Army's plan in the event of a war with Chile. The emails contain details about military strategies, decoy sub-operations, and the use of road and communication infrastructures.

In Brazil, Guacamaya leaked emails from the mining company Tejucana, revealing environmental impacts and corrupt practices, leading to increased scrutiny from local authorities and the National Mining Agency. Revelations about Tejucana's practices have generated great concern among local communities and environmental advocates in Brazil. The email leaks highlighted the company's lack of responsibility and poor practices, exacerbating tensions between affected communities and the company. Public perception of the company was severely affected, leading to a widespread call for greater oversight and regulation of mining activities in the country.

To counter these ever-growing cyber threats, Latin American governments, with the support of SOUTHCOM and the U.S. Government, should implement actions such as:

1.Implementation of Cybersecurity Strategies

• Recommendation for the governments in the region: Latin American governments should develop and implement comprehensive cybersecurity strategies that encompass the prevention, detection, and response to cyber incidents. This includes regularly updating systems, implementing advanced detection and response solutions, and continuously training personnel.
• Recommendation for SOUTHCOM and the U.S. Government: Support Latin American countries in creating and strengthening their cybersecurity strategies through training programs, technical knowledge exchange, and the provision of advanced technologies that facilitate the prevention and response to cyber incidents.

2. Strengthening International Cooperation in Cybersecurity

• Recommendation for the governments in the region: Latin American countries should closely collaborate with international organizations such as the OAS and the Forum of Incident Response and Security Teams (FIRST) to share information, best practices, and coordinate responses to cyberattacks. Forming alliances with countries that have greater cybersecurity expertise is crucial for strengthening regional defenses.
• Recommendation for SOUTHCOM and the U.S. Government: Foster bilateral and multilateral cooperation in cybersecurity with Latin American governments, providing technical support and strategic advice for the implementation of security standards and the coordination of efforts in the region.

3. Investment in Critical Cybersecurity Infrastructure

• Recommendation for the governments in the region: Latin American governments should invest in improving their critical cybersecurity infrastructure, including implementing regular backups, network segmentation, multi-factor authentication, and robust encryption to protect data and systems. Regular risk assessments and security audits should also be conducted to identify and mitigate vulnerabilities.
• Recommendation for SOUTHCOM and the U.S. Government: Provide technical and financial assistance for improving critical infrastructure in Latin America, particularly in vulnerable sectors such as government, health, and energy, which are frequently targeted by cyberattacks.

4. Regular Cybersecurity Training for All Personnel

• Recommendation for the governments in the region: Governments should increase awareness of common attack methods, such as phishing, and educate on best cybersecurity practices to significantly reduce the risk of incidents. Preparing personnel to identify and respond to threats is key to improving organizational resilience.
• Recommendation for SOUTHCOM and the U.S. Government: Develop cybersecurity training programs aimed at key personnel in Latin America, both in the public and private sectors, to enhance the region's ability to detect and respond to cyber threats.

5. Establishment of Computer Security Incident Response Teams (CSIRTs)

• Recommendation for the governments in the region: Establish CSIRTs in all countries of the region to ensure a rapid and coordinated response to any detected threat. These teams should be trained to handle cyber incidents, minimize the impact of attacks, and restore normal operations quickly.
• Recommendation for SOUTHCOM and the U.S. Government: Support the creation and strengthening of CSIRTs in Latin America by providing advanced cybersecurity tools, specialized training, and establishing communication channels for a coordinated response between countries.

6. Development of Clear and Effective Ransomware Response Policies

• Recommendation for the governments in the region: Develop clear ransomware response policies that include creating contingency plans and disaster recovery procedures. It is essential to avoid paying ransoms and seek alternatives for data recovery and system restoration without funding criminal activities.
• Recommendation for SOUTHCOM and the U.S. Government: Collaborate with Latin American governments to develop ransomware response policies and protocols, sharing best practices and previous experiences in managing ransomware incidents.

7. Enactment and Enforcement of Effective Laws Against Ransomware and Hacktivism

• Recommendation for the governments in the region: Update legal frameworks to reflect the current realities of cyber threats, ensuring that penalties are sufficiently deterrent. International legal cooperation is also vital to pursue and prosecute transnational cybercriminals, ensuring a globally coordinated response to these threats.
• Recommendation for SOUTHCOM and the U.S. Government: Promote the creation of robust legal frameworks in Latin America against ransomware and hacktivism, providing legal advice and support in implementing effective legislation, as well as facilitating international judicial cooperation to pursue cybercriminals.