Search This Blog

Showing posts with label Brazil. Show all posts

REvil Hits Brazilian Healthcare Giant Grupo Fleury


São Paulo-based medical diagnostic firm Grupo Fleury has suffered a ransomware attack that has impaired business operations after the company shut down its systems. On the 22nd of June, the company website began displaying an alert message, alerting to the fact that its systems were suffering an attack and are no longer accessible.

Brazilian healthcare giant provides medical laboratory services across the nation with over 200 service centers and more than 10,000 employees. The company performs approximately 75 million clinical exams in a year.

"Please be advised that our systems are currently unavailable and that we are prioritizing the restoration of services. The causes of this unavailability originated from the attempted external attack on our systems, which are having operations reestablished with all the resources and technical efforts for the rapid standardization of our services," read the message translated into English. 

With their systems being knocked down, patients are unable to book appointments for labs and other medical examinations online. Since the announcement, multiple cybersecurity sources have confirmed that Grupo Fleury suffered an attack by the ransomware operation known as REvil, also known as Sodinokibi. 

“The Healthcare industry and healthcare supply chain are both one of the top three targeted sectors worldwide. Additionally, REvil are launching a lot of attacks at the moment, having hit a maritime organization in Brazil earlier this month,” Andy Norton, European cyber risk officer at Armis, stated.

The fact that Grupo Fleury's data is of significant concern as it contains enormous amounts of personal and medical data of patients, REvil is demanding $5 million for the decryptor key and the assurance that no vital information will be leaked online. REvil is known for exfiltrating data before encrypting devices and then using the stolen information as leverage to extort money from the company.

“In a previous statement made to the Russian-OSINT Telegram channel, a REvil representative stated that they were targeting Brazil for revenge. However, it is not known what that revenge is for. REvil is known for exfiltrating data and the data could include personally identifiable information and sensitive medical information of their patients and staff, which could be detrimental for the organization,” Jamie Hart, cyber threat intelligence analyst at digital risk protection company Digital Shadows Ltd, said.

Prior to this attack, JBS Foods, the world’s largest meat producer, was the victim of a REvil ransomware attack. JBS paid a ransom of $11 million in order to keep their stolen information from being leaked online. REvil has targeted numerous high-profile organizations, including Brazil's the Rio Grande do Sul court system, nuclear weapons contractor Sol Oriens.

Brazilian Cybercriminals Created Fake Accounts for Uber, Lyft and DoorDash


According to a recent report by the Federal Bureau of Investigation (FBI), a Brazilian organization is planning to defraud users of digital networks such as Uber, Lyft, and DoorDash, among others. According to authorities, this group may have used fake IDs to build driver or delivery accounts on these sites in order to sell them to people who were not qualified for the companies' policies. 

This scam may have also included the use of GPS counterfeiting technologies to trick drivers into taking longer trips and earning more money. Furthermore, the Department of Justice (DOJ) states that this organization would have begun operations in 2019 and would have expanded its operations after the pandemic paralyzed many restaurants and supermarkets. 

The gang, which worked mainly in Massachusetts but also in California, Florida, and Illinois, communicated through a WhatsApp group called "Mafia," where they allegedly agreed on similar pricing strategies to avoid undercutting each other's income, according to the FBI. 

The party leased driver accounts on a weekly basis, according to court records. A ride-hailing service driver account costs between $250 and $300 per week, while a food delivery web account costs $150 per week. The FBI claimed to have tracked more than 2,000 accounts created by gang members during their investigation. 

According to the agents in charge of the investigation, the suspects made hundreds of thousands of dollars from this scheme, depositing their earnings in bank accounts under their control and withdrawing small sums of money on a regular basis to avoid attracting the attention of the authorities. Thousands of dollars were also made by criminals due to referral incentives for new accounts. One of the gang members received USD 194,800 through DoorDash's user referral system for 487 accounts they had on the website, according to a screenshot posted on the group's WhatsApp page. 

The DOJ has charged 19 Brazilian people so far, as well as revealing that six members of the fraudulent party are still on the run. The Department of Justice reported the second round of charges against five Brazilian citizens last week. Four were apprehended and charged in a San Diego court, while a fifth is still on the run and assumed to be in Brazil.

Court of Justice of the State of Rio Grande do Sul, Brazil Hit by REvil Ransomware


REvil ransomware group on 28th April 2021, had attacked the Tribunal de Justiça do Estado do Rio Grande do Sul (Court of Justice of the State of Rio Grande do Sul) in Brazil, which compromised the staff data and also obligated the courts to disable their network. Also labeled as Sodinokibi, REvil is a private service for the ransomware-as-a-service operations which rose in 2019. 

The Tribunal de Justiça do estado do rio Grande do Sul (TJRS), is a legal framework of the Brazilian state of Rio Grande do Sul. The attack started on April 28th, after personnel unexpectedly found that they are not able to access any of their documentation and photographs anymore, and also that ransom notices were displayed on Windows. 

Relatively soon after the intrusion was started, the verified TJRS Twitter account alerted staff not to sign into local and remote TJ network systems. 

“The TJRS reports that it faces instability in computer systems. The systems security team advises internal users not to access computers remotely, nor to log into computers within TJ’s network,” tweeted the TJRS judicial system. 

A Brazilian security analyst named Brute Bee took a screenshot and shared it with the staff of Bleeping Computer including ransom notes and talked about the attack. These ransom notices are there for the REvil service as they were the ones responsible for the attack, which is also autonomously verified by Bleeping Computer. 

“Files of TJRS could've been lost forever unless backups are available! DDoS attacks are yet to come if its victims refuse to cooperate”, added Brute Bee. 

Bleeping Computer further added that the threat actors have demanded a $5,000,000 ransom for the REvil Ransomware project to decrypt documents and further not to leak any of their data. 

One individual characterized the incident as "horrible," and "the worst thing happened there," in an interpreted audio recording that has been exchanged with Bleeping Computer, and also the IT workers experienced a "hysterical stress attack" while they scrambled to restore thousands of computers. 

The Superior Court of Justice of Brazil was targeted by the RansomEXX ransomware community last November as well, which started encrypting computers in the center of conference call tribunals. At the very same moment, the domains of several other Federal government departments in Brazil went down, but whether they were shut down or were under attack wasn't visible.

Janeleiro a New Banking Trojan Targeting Corporate, Government Targets


A banking Trojan has been found out by cybersecurity researchers, which has targeted many organizations across the state of Brazil. An advisory has been released on Tuesday by ESET on the malware that was being developed in 2018. 
According to cyber intelligence, the Trojan named Janeleiro primarily focused on Brazil and launched multiple cyber attacks against corporate giants in various sectors such as engineering, healthcare sector, finance, retail, and manufacturing. Notably, the threat actors who are operating the banking trojan have also made attempts to get access into government systems using the malware.

According to the researchers, the Trojan is similar to other Trojans that are currently being operated across the state, specifically in Grandoreiro, Casbaneiro, and Mekotio, to name a major few. 

Janeleiro enters into smart devices similar to most malware, however, some features are different. First, Phishing emails will be sent in small batches, masked as unpaid invoices of the firm. These emails contain links that compromise servers into the system and download a .zip archive hosted in the cloud. If the target opens the archive file, a Windows-based MSI installer then loads the main Trojan DLL into the system. 

"In some cases, these URLs have distributed both Janeleiro and other Delphi bankers at different times," ESET says. 

“…This suggests that either the various criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group. We have not yet determined which hypothesis is correct." 

Interestingly, the Trojan first checks the geo-location of the targeted system's IP address. If the state code is Brazil and it remains and runs its operation but if it is other than Brazil then the malware will exit automatically. 

Janeleiro is being used to frame fake pop-up windows "on-demand," such as when operators compromised banking-related keywords from its machine. Once the operators get access to the system then they ask for sensitive credentials and banking details from targets.

Bitcoin fraud worth $ 359M caught by the Brazil Police

The Brazilian police have found what is said to be an alleged Bitcoins fraud that stole $ 359M from the sufferers. "The Brazillian state police have been able to counter the anonymous operation and have caught 9 criminals," says the Parana state government in a statement. "Growing concern in crypto-currency businesses has been followed by an increase of scams,” the report states. “The absence of supervision and attention along with large levels of distraction, unfamiliarity, cross-perimeter activities, and other characteristics crucial to the cryptocurrency business reveals possible dangers to the users," says Brazilian Congressman Aureo Ribeiro.

The 4 months inquiry exposed five hundred personalities from over 6 states that have fallen prey to the Bitcoin grant fraud. However, the figures could go up to 5000 persons. “It was obvious that the plan was a fraud when the victims got a notification from the organization, informing the users that the investors would not be able to debit their money for 6 months,” says the Parana state government's statement.

The company responded to the situation by saying it too had suffered a scam estimating $5 million. But the investors' withdrawal money was delayed even after 6 months passed, and that's how the company was caught red-handed.' According to one of the victims, a fraud had promised everyday returns up to 4% on investments. The people arrested for the theft are accused of money laundering, scam, counterfeit and unlawful connection. 

Cryptocurrency Frauds happened recently-

Sadly, it is not the first instance when people have fallen prey to the cryptocurrency scam. "In May, a cryptocurrency fraud gang had was locked down for theft of $200M from over 50,000 victims," reports Hard Fork. Criminals pretended to give crypto-currency grants assuring people 15% of profits for their money. "During the time, the firm had collected about $215M through February 2019, however, police concluded the figure could be around $250M," says Federal Revenue Service.

The police in April caught an individual on doubt that he was running drugs racket gang and stealing money through Bitcoins. In the region Porto Alegre, Southern Brazil, the police officials have discovered a secret drug lab having Bitcoin digging facilities.