Ransomware – not just flying south for the winter.

Written by: Lisa Forte

Categorized: Cyber Resilience

In 2022 major ransomware groups have been looking for new profitable markets, and their gaze has fallen on Central and South America.

A wealth of reports claim that the number of ransomware attacks in the global north has stabilised. Okay, they haven’t decreased, so we can’t exactly celebrate, but at least they are not increasing at quite the rate they once were.

In contrast the number of attacks in the global south has risen sharply. Very sharply.

In this article I am going to focus solely on Central and South American countries as this area has seen one of the steepest increases in ransomware attacks, but it is a problem plaguing most of the global south.

In 2022 alone there have been highly disruptive attacks in Costa Rica, Peru, Chile, Brazil and Argentina. The first ever state of national emergency was declared, the USA sent teams of people to help another nation state under siege, sensitive intelligence files were stolen and tens of thousands of citizens felt a huge impact on their lives.

You may be sitting there thinking “this is unfortunate but why should I care about ransomware hitting organisations in Central and South America?”

There are a few reasons you should care, and be concerned. I will build on each of these in this article.

Firstly, attacking organisations in this region allows these groups to get back to their previous healthy profit margins and the more well financed they are the worse and harder it is for European and US organisations to defend against them.

Secondly, it allows ransomware groups to potentially try out new tactics without setting off too many alarm bells with US and European law enforcement.

Thirdly, ransomware poses a far more serious risk to these countries. Unlike in Europe, ransomware has the potential for destabilising these countries and even impacting their long-term economic growth. Something that wouldn’t be beneficial to the international community. In a globalised world ransomware needs to be everyone’s business.

Let’s take a quick look at some of the most headline worthy attacks experienced in that region.


Conti Vs Costa Rica

In April 2022 the Financial Times reports that Jorge Mora, the digital governance chief in Costa Rica received a message from one of his team. It read “we couldn’t contain it and they’ve encrypted the servers”. His country was under siege from the notorious ransomware group, Conti. They managed to cripple a number of essential government services. Trade ground to a halt, medical appointments across the country were cancelled, tax payments were disrupted and millions were lost.

Conti asked for a $20mn ransom but the government refused to pay. The impact was so severe that the President of Costa Rica declared a national state of emergency and referred to his country as being “at war” with ransomware groups comparing the attack to terrorism.

This was the first instance of a country declaring a national state of emergency in response to ransomware attacks. Conti was believed to be the mastermind behind the attacks and they publicly called for the Costa Rican government to be overthrown.

At the time that the President declared a national state of emergency WIRED claim “759 of the 1500 servers and 10,400 computers” had been impacted. It was also claimed that 34,677 medical appointments had to be rescheduled across the country.

Conti’s behaviour was more worrying than usual. They usually behaved in an almost “business-like” manner but in this case they were erratic, political and unpredictable. Some argue that their attacks on Costa Rica were designed to be a distraction, as their “brand” had been falling apart after Russia invaded Ukraine. The standoff left some services unavailable for months. The USA sent over teams to help. Costa Rica is still dealing with the consequences of the attack, a process that could even take years.


Conti Vs Peru

In the first few months of 2022 Conti also had attacked Peru’s intelligence agency, National Directore of Intelligence. They stole 9.1GB of “very sensitive data” which they threatened to publish if a ransom wasn’t paid. Conti claimed that the stolen data contained detailed information on the torture operations conducted by the Peruvian intelligence agency and that if it were to be released it would cause them huge problems.


Play Vs Argentina

In August 2022 the Cordoba Judiciary in Argentina was hit by a ransomware attack that forced it to take its online portal and much of its infrastructure offline. Many reports in Argentina cited the attack as the “worst in history” for an Argentine public institution. The attack forced the organisation back onto a pen and paper system for submitting documents. It was claimed that the attack was associated with the new “Play” ransomware. A few months prior to this attack a list of employee email addresses at the Judiciary had actually been leaked online as part of the Globant (an IT and software company) breach. This may have been the initial spark that led to the attack on the Cordoba Judiciary.


Chile Locker and Gucamaya Vs Chile

In August 2022 the Chilean government announced that one of its agencies had been taken offline by a ransomware attack, since named “Chile Locker”.

The attackers used the common double extortion methodology that both encrypts the data and exfiltrates the data. They threatened to leak the stolen data publicly if the ransom wasn’t paid. Chile’s CSIRT team announced the attack had occurred and that they had been given 3 days to pay the ransom, but kept details to a minimum. The level of disruption was significant. Around the same time it was claimed that Chile had also fallen victim to the notorious Gucamaya group who, whilst not strictly speaking a ransomware group, have been targeting organisations in Central and South America and leaking very sensitive documents from various militaries in that region including Mexico.


Why target the global south?

There are a number of factors that likely have driven this move south by ransomware groups.

Money with less awareness.

These countries may be viewed as having historically invested far less in security defences than those in the global north. Andy James, from Custodian 360, noted,

“Some South American organisations could be seen as more vulnerable as they haven’t engaged in the same level of security investment. Some of the technology they are using isn’t the most up to date too and this can make them an easier target”.

Even if in reality they are no less secure the perception that they may be could be very enticing.

Less noisy.

Ransomware groups haven’t exactly had a totally free ride over the last few years. Big noisy attacks, especially in the USA, such as Colonial Pipeline, caught the attention of the FBI and OFAC both of whom took a very proactive role in disrupting and applying sanctions to key groups. This actually caused many of them a lot of trouble. Targeting organisations in the global south could be viewed as easier given that they are less likely to be a top priority for annoyingly proactive US law enforcement and regulators. Law enforcement agencies in those countries may be less likely to cause such a level of disruption to the ransomware ecosystem for now.

Incident response capability.

There is also a perception that organisations in the global south would have less access to incident response services perhaps making them more likely to pay a ransom.

Sanction free zone.

Countries in the global south have not been so proactive in issuing sanctions as some of those in the global north have been. These sanctions cause issues for ransomware groups, it makes it harder to get paid and move money around if a victim does pay you. So, countries who are behind the curve on this automatically become more attractive “markets” to target.

All of these factors play into making countries in the global south look far more attractive.


What does the future hold?

The fight against the Covid pandemic doesn’t leave me with a great deal of hope when it comes to the global north helping the global south. We saw countries hoard vaccines and the lack of globalised response actually hindered efforts to get control of the spread of the virus. The WHO appealed multiple times to have a more supportive, globalised response. This was largely ignored in favour of a form of protectionism.

We find ourselves in much the similar position with ransomware. The countries in the global south need assistance, intelligence, advice and support from those in the global north. Without it the problem will likely spread. Professor Alan Woodward commented

“Personally, I don’t think South America will be their final safari. I suspect the rich pickings of India and Asia will see another wave of attacks. The criminal gangs won’t give up in one area and leave it alone totally. They will lurk and pick off any unwary organisations”.

So why should governments and organisations in the global north care and act?

Probably, and excuse the idealism here, we wouldn’t want to see countries with whom we have a close relationship face destabilising attacks. There may be another interesting factor at play here too. Central and South America is no stranger to organised crime groups. As Professor Alan Woodward put it

“these gangs are learning fast that ransomware can be more lucrative than their traditional nefarious activities, with less risk”.

Ransomware as a service makes this easier and is something that has been observed in other countries too. So doing nothing may actually bring more ransomware groups into existence. A problem for us all.

There is another political incentive though for us to help. One of the biggest challenges in dealing with the ransomware issue is that of safe harbours, countries that allow a safe place of effective immunity for attackers to exist. If you could get rid of these safe harbours then suddenly the lives of ransomware attackers would become increasingly riskier. Russia is often viewed as one such safe harbour. They are now seeking to become “best friends” with several countries in South and Central America. Given Russia’s rapidly diminishing influence and somewhat toxic brand there is an opportunity perhaps here for these countries to request Russia “crack down” on ransomware groups operating in its territory. Perhaps these countries may actually have the leverage we have been looking for to change the status quo on safe harbours?

There is one final big incentive for all of us to help, support and share intel with organisations in the global south, perhaps motivated more by self-interest than pure altruism.  If attackers are launching successful attacks in the global south and ransoms are being paid then their profit margins shoot back up. The more financing they can secure the more resourcing and R&D they can invest in. The better tools they have, the more refined their tactics and playbooks can become. As Daniel Card, consultant, told me

“It allows them to invest in tools and R&D and then try them out. Get experience they can use elsewhere”.

This in turn, just like with covid and the vaccine hoarding, is likely to come back to bite us. Making our adversary stronger and our organisations harder and more expensive to defend.

To win this fight we have to accept we need to win it together.




Related Content