Braspress Hit by Akira Ransomware, Disrupting 280 Servers

Incident Date:

July 31, 2024

World map

Overview

Title

Braspress Hit by Akira Ransomware, Disrupting 280 Servers

Victim

BRASPRESS

Attacker

Akira

Location

Manaus, Brazil

, Brazil

First Reported

July 31, 2024

Ransomware Attack on Braspress by Akira Group

Braspress, a leading logistics and transportation company in Brazil, has recently fallen victim to a ransomware attack orchestrated by the Akira ransomware group. The breach, detected on July 7, 2024, compromised 280 servers within the company's data center, significantly disrupting operations across its extensive network.

About Braspress

Braspress Transportes Urgentes Ltda., commonly known as Braspress, is a prominent player in the Brazilian logistics sector. The company operates an extensive network for both road and air transportation, facilitating the swift movement of goods across Brazil and internationally. With 106 branches and a modern fleet of nearly three thousand trucks, Braspress is recognized for its efficiency and reliability in handling urgent deliveries, including specialized services for pharmaceutical products.

Braspress stands out in the industry due to its commitment to environmental sustainability, having achieved ISO 14001 certification. The company also invests significantly in technology and security, with advanced systems such as a state-of-the-art Data Center and automated sorting technologies. Despite these measures, the company was not immune to the sophisticated tactics employed by the Akira ransomware group.

Attack Overview

The ransomware attack by Akira was publicly claimed on July 31, 2024. The incident affected nearly 3,000 trucks and 9,000 employees across 114 branches nationwide. In response, Braspress took its operational systems offline and has been working to restore encrypted environments using backups made just minutes before the attack. Despite the extensive damage, Braspress has opted not to negotiate with the attackers. Company president Urubatan Helou has firmly stated his refusal to pay any ransom, acknowledging that the recovery process may take years.

About Akira Ransomware Group

Akira is a rapidly growing ransomware family that first emerged in March 2023. The group targets small to medium-sized businesses across various sectors, including government, manufacturing, technology, and pharmaceuticals. Akira employs double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion. The group is known for its unique dark web leak site with a retro 1980s-style interface and has been observed using tools like RClone, FileZilla, and WinSCP for data exfiltration.

Penetration and Impact

Akira's tactics include unauthorized access to VPNs, credential theft, and lateral movement to deploy the ransomware. The group has also been seen deploying a previously unreported backdoor. In April 2023, Akira expanded its operations to target Linux-based VMware ESXi virtual machines in addition to Windows systems. The attack on Braspress highlights the vulnerabilities even well-prepared companies face against sophisticated ransomware groups.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.