LockBit Ransomware Hits ApexBrasil in Major Cybersecurity Breach
Incident Date:
September 15, 2024
Overview
Title
LockBit Ransomware Hits ApexBrasil in Major Cybersecurity Breach
Victim
Apex Brasil
Attacker
Lockbit3
Location
First Reported
September 15, 2024
LockBit Ransomware Group Targets ApexBrasil in Major Cyber Attack
The ransomware group LockBit has claimed responsibility for a cyber attack on ApexBrasil, the Brazilian Trade and Investment Promotion Agency. The attack was announced on LockBit's dark web leak site, indicating a significant breach of the agency's data and systems.
About ApexBrasil
ApexBrasil, officially known as the Brazilian Trade and Investment Promotion Agency, was established in 1997. The agency operates as a non-profit entity under the supervision of Brazil's Federal Government and is linked to the Ministry of Foreign Affairs. ApexBrasil employs approximately 601 individuals and has an estimated annual revenue of around $100 million. The agency's primary mission is to promote Brazilian products and services internationally while attracting foreign direct investment (FDI) to strategic sectors of the Brazilian economy.
ApexBrasil supports over 15,000 Brazilian companies, primarily micro, small, and medium-sized enterprises, by organizing trade missions, business rounds, and international trade fair participation. The agency also provides market intelligence, training, and branding services to enhance the competitiveness of Brazilian businesses in global markets.
Details of the Attack
The ransomware attack on ApexBrasil was orchestrated by LockBit, a highly sophisticated ransomware-as-a-service (RaaS) group active since September 2019. LockBit is known for its modular ransomware that encrypts its payload until execution, using a combination of RSA-2048 and AES-256 encryption algorithms. The group employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid.
LockBit's attack on ApexBrasil underscores the persistent threat posed by ransomware groups and highlights the critical need for advanced cybersecurity measures. The breach has compromised the organization's data and systems, adding ApexBrasil to LockBit's growing list of high-profile targets.
LockBit Ransomware Group
LockBit has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. The group distinguishes itself through its sophisticated encryption techniques and high ransom demands, typically ranging from several thousand to several hundred thousand dollars. LockBit exploits vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network.
Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper. The ransomware accepts various command-line parameters to modify its behavior, such as spreading laterally via group policy or admin shares, rebooting into Safe Mode, and setting the wallpaper.
Potential Vulnerabilities
ApexBrasil's significant role in international trade and investment promotion makes it a prime target for ransomware groups like LockBit. The agency's extensive digital infrastructure, which supports over 15,000 companies, presents numerous potential entry points for cybercriminals. The attack on ApexBrasil highlights the importance of implementing advanced cybersecurity measures to protect against sophisticated ransomware threats.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.