How Ransomware Has Become a Geopolitical Risk for Governments

For months, Western leaders have warned about the risk of military conflict in Ukraine spilling over into the rest of the world. Their fears may not yet have been directly realized, but several governments in Latin America have certainly begun to feel the impact. Emboldened cybercrime groups may be redefining acceptable targets, which has implications for governments everywhere.

Just the Beginning?

In the first half of 2022, Costa Rica, Peru, Mexico, Ecuador, Brazil and Argentina were all targeted by Russian-speaking cybercrime groups like Conti, ALPHV, LockBit 2.0 and BlackByte. All countries had publicly condemned Russia at the UN for invading Ukraine, and some voted to suspend the country from the UN Human Rights Council. Further tying these ransomware attacks to Russia, we noted an uptick in initial access broker (IAB) services on major Russian-language dark web and special access forums like XSS and Exploit. They have been advertising low-cost, compromised network access methods specifically related to entities in Latin America. 

Among the organizations in the region targeted by threat actors was the secretary of state of finance in Rio de Janeiro, the municipality of Quito in Ecuador, the comptroller general of Peru, the Republic of Peru and Costa Rica. In Costa Rica, a national emergency was declared after the government branded a crippling attack an act of “cyber-terrorism.”

This represents a significant escalation in the severity of attacks targeting government organizations. Alongside K-12 education institutions, NGOs and healthcare organizations, governments have for a long time been off limits for ransomware affiliates keen to avoid stigmatization and the scrutiny of law enforcement. However, that stance appears to have shifted quite dramatically now, which could have implications for governments everywhere. If such groups now feel emboldened to target any nation critical of Russia, we could see a dramatic uptick in global incidents.

How Were They Hit?

Most of those organizations targeted in this first wave of Latin American attacks appear to have been hit after threat actors got hold of compromised credential pairs and session cookies. These are usually…