Sicoob Bank Hit by Major Ransomware Attack, 1TB of Data Compromised

Incident Date:

June 30, 2024

World map



Sicoob Bank Hit by Major Ransomware Attack, 1TB of Data Compromised


Sicoob Bank




Brasília, Brazil

, Brazil

First Reported

June 30, 2024

Sicoob Bank Targeted by RansomHub Ransomware Attack

Overview of Sicoob Bank

Sicoob Bank, officially known as Confederação Nacional das Cooperativas do Sicoob Ltda., is the largest cooperative financial system in Brazil. With over 7.6 million members and more than 4,500 service points across the country, Sicoob operates on a cooperative model, meaning it is owned and controlled by its members. This structure allows for a community-focused approach to banking, where profits are reinvested into the cooperative or distributed among members.

Sicoob offers a comprehensive suite of financial products and services, including savings and checking accounts, loans, credit cards, investment options, insurance, and payment services. The cooperative places a strong emphasis on financial inclusion, aiming to provide services to underserved populations, including small businesses and rural communities. Additionally, Sicoob is committed to technology and innovation, offering digital banking services through its website and mobile app.

Details of the Ransomware Attack

RansomHub, a relatively new ransomware group, has claimed responsibility for a significant cyberattack on Sicoob Bank. The attackers assert that they have accessed over 1 TB of sensitive data, including NDA documents, personal data of customers and employees, financial data, company resource access information, departmental developments, IT product source codes, databases, and confidential financial information. The breach reportedly originated from a local cooperative within Sicoob's system.

In response to the attack, Sicoob has activated its security protocols, involved law enforcement, and launched a detailed investigation. Despite the breach, Sicoob assures that core financial operations and customer services remain unaffected. The RansomHub group has issued a 72-hour ultimatum for Sicoob to contact them, threatening to publicly release the stolen data, launch repeated attacks, sell infrastructure information, and compromise ATMs and customer funds if their demands are not met.

Profile of RansomHub

RansomHub is a new entrant in the cyber threat landscape, believed to have roots in Russia. The group operates as a Ransomware-as-a-Service (RaaS) entity, with affiliates receiving 90% of the ransom money and the remaining 10% going to the main group. RansomHub has targeted various countries, including the US, Brazil, Indonesia, and Vietnam, without following a specific pattern. Healthcare-related institutions are among their listed victims.

Potential Vulnerabilities and Penetration Methods

While the exact method of penetration used by RansomHub in the Sicoob attack is not publicly detailed, common vulnerabilities in financial institutions include outdated software, insufficient employee training on phishing and social engineering attacks, and inadequate network segmentation. Given RansomHub's use of Golang, it is possible that they exploited specific vulnerabilities in Sicoob's IT infrastructure or leveraged social engineering tactics to gain initial access.

Financial institutions like Sicoob, which handle vast amounts of sensitive data, are prime targets for ransomware groups. The cooperative's extensive network of local branches and emphasis on digital banking services may have presented multiple entry points for the attackers. Ensuring robust cybersecurity measures and regular security audits are critical for such organizations to mitigate the risk of ransomware attacks.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.