Rio de Janeiro finance department hit with LockBit ransomware

The Secretary of State for Finance of Rio de Janeiro confirmed on Friday that it was dealing with a ransomware attack on its systems.

The LockBit ransomware group claimed to have attacked systems connected to the government offices, stealing about 420 GB. The group threatened to leak the stolen data on Monday. 

In a statement to The Record, a spokesperson for the Secretary of State for Finance of Rio de Janeiro said they contacted the law enforcement agency that manages digital crimes in Brazil after they were threatened by a cybercriminal who breached their systems.  

“In the threat, sent this Thursday, the attacker asks for a payment not to disclose data allegedly stolen from the systems of Sefaz-RJ. This data would correspond to only 0.05% of the data stored by the Secretariat,” the spokesperson said. 

Rio de Janeiro has the second-largest GDP of any city in Brazil after São Paulo and is home to headquarters for several state-owned companies including Petrobras, Eletrobras, Caixa Econômica Federal, National Economic and Social Development Bank and Vale. 

It is one of the financial hearts of South America, with its economy ranking 30th in GDP among all cities in the world. The city exported $32.5 billion worth of goods in 2021. 

The Undersecretariat for Information and Communication Technology (SUBTIC) told The Record that it has offered to work with the police on the investigation.

“Since 2020, [SUBTIC] has been prioritizing the strengthening of information security, which can be proven by the low impact of the attack,” the spokesperson said. 

“This is a result of the effectiveness of the actions that have been adopted.”

A ransomware tracker maintained by researchers at Recorded Future, which owns The Record, indicated that LockBit was the second most prolific ransomware gang in 2022 after Conti. They have attacked at least 650 organizations so far this year, according to the data. 

The Australian Cyber Security Centre (ACSC) issued a security advisory last August warning of a sudden spike in LockBit ransomware attacks. 

The group has been operating since September 2019 and was a marginal player before developing a new version of their Ransomware-as-a-Service platform, called LockBit 2.0.

With the demise or retirement of rivals like Darkside, Avaddon, and REvil, LockBit has become one of the most commonly seen RaaS platforms.