Sicoob Bank Targeted by RansomHub Ransomware Attack

Overview of Sicoob Bank

Sicoob Bank, officially known as Confederação Nacional das Cooperativas do Sicoob Ltda., is the largest cooperative financial system in Brazil. With over 7.6 million members and more than 4,500 service points across the country, Sicoob operates on a cooperative model, meaning it is owned and controlled by its members. This structure allows for a community-focused approach to banking, where profits are reinvested into the cooperative or distributed among members.

Sicoob offers a comprehensive suite of financial products and services, including savings and checking accounts, loans, credit cards, investment options, insurance, and payment services. The cooperative places a strong emphasis on financial inclusion, aiming to provide services to underserved populations, including small businesses and rural communities. Additionally, Sicoob is committed to technology and innovation, offering digital banking services through its website and mobile app.

Details of the Ransomware Attack

RansomHub, a relatively new ransomware group, has claimed responsibility for a significant cyberattack on Sicoob Bank. The attackers assert that they have accessed over 1 TB of sensitive data, including NDA documents, personal data of customers and employees, financial data, company resource access information, departmental developments, IT product source codes, databases, and confidential financial information. The breach reportedly originated from a local cooperative within Sicoob's system.

In response to the attack, Sicoob has activated its security protocols, involved law enforcement, and launched a detailed investigation. Despite the breach, Sicoob assures that core financial operations and customer services remain unaffected. The RansomHub group has issued a 72-hour ultimatum for Sicoob to contact them, threatening to publicly release the stolen data, launch repeated attacks, sell infrastructure information, and compromise ATMs and customer funds if their demands are not met.

Profile of RansomHub

RansomHub is a new entrant in the cyber threat landscape, believed to have roots in Russia. The group operates as a Ransomware-as-a-Service (RaaS) entity, with affiliates receiving 90% of the ransom money and the remaining 10% going to the main group. RansomHub has targeted various countries, including the US, Brazil, Indonesia, and Vietnam, without following a specific pattern. Healthcare-related institutions are among their listed victims.

Potential Vulnerabilities and Penetration Methods

While the exact method of penetration used by RansomHub in the Sicoob attack is not publicly detailed, common vulnerabilities in financial institutions include outdated software, insufficient employee training on phishing and social engineering attacks, and inadequate network segmentation. Given RansomHub's use of Golang, it is possible that they exploited specific vulnerabilities in Sicoob's IT infrastructure or leveraged social engineering tactics to gain initial access.

Financial institutions like Sicoob, which handle vast amounts of sensitive data, are prime targets for ransomware groups. The cooperative's extensive network of local branches and emphasis on digital banking services may have presented multiple entry points for the attackers. Ensuring robust cybersecurity measures and regular security audits are critical for such organizations to mitigate the risk of ransomware attacks.

Sources

• Sicoob Official Website
• SOCRadar: Dark Web Profile - RansomHub
• Forbes: Sicoob
• LeadIQ: Sicoob
• BNamericas: Confederação Nacional das Cooperativas do Sicoob Ltda.
• Bloomberg: Sicoob Profile