RansomHub Ransomware Attack on SP Mundi Câmbio: Data Breach & Cyber Threats

Incident Date:

June 4, 2024

World map

Overview

Title

RansomHub Ransomware Attack on SP Mundi Câmbio: Data Breach & Cyber Threats

Victim

SP Mundi Câmbio

Attacker

Ransomhub

Location

São Paulo, Brazil

, Brazil

First Reported

June 4, 2024

RansomHub Ransomware Attack on SP Mundi Câmbio

Overview of SP Mundi Câmbio

SP Mundi Câmbio, a foreign exchange agency based in São Paulo, Brazil, specializes in the purchase and sale of foreign currencies. Accredited by the Central Bank of Brazil, the company offers a streamlined service where customers can buy and receive currencies at home, benefiting from competitive rates. Operating with a small team of 2-10 employees, SP Mundi Câmbio is known for its efficient quote simulation system and home delivery service.

Details of the Ransomware Attack

Recently, the ransomware group RansomHub has claimed responsibility for an attack on SP Mundi Câmbio. The attack reportedly resulted in the exfiltration of 8 GB of sensitive data, including customer information, documents, and operational data. The compromised databases contain names, documents, addresses, CPFs, phone numbers, and payment amounts. A sample of the leaked data has been published on RansomHub's dark web leak site.

About RansomHub

RansomHub is a relatively new player in the ransomware landscape, believed to have roots in Russia. Operating as a Ransomware-as-a-Service (RaaS) group, RansomHub affiliates receive 90% of the ransom money, with the remaining 10% going to the main group. The group has targeted various countries, including the US, Brazil, Indonesia, and Vietnam, with a notable focus on healthcare institutions. RansomHub's ransomware strains are written in Golang, a trend that is gaining traction in the ransomware world.

Potential Vulnerabilities

Given SP Mundi Câmbio's small team size and the nature of their operations, they may have been an attractive target for ransomware groups like RansomHub. The company's reliance on digital systems for currency transactions and customer data management could have provided multiple entry points for cyber attackers. The exact method of penetration remains unclear, but common vectors include phishing emails, unpatched software vulnerabilities, and weak network security protocols.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.