How Ransomware Has Become a Geopolitical Risk for Governments

Written by

For months, Western leaders have warned about the risk of military conflict in Ukraine spilling over into the rest of the world. Their fears may not yet have been directly realized, but several governments in Latin America have certainly begun to feel the impact. Emboldened cybercrime groups may be redefining acceptable targets, which has implications for governments everywhere.

Just the Beginning?

In the first half of 2022, Costa Rica, Peru, Mexico, Ecuador, Brazil and Argentina were all targeted by Russian-speaking cybercrime groups like Conti, ALPHV, LockBit 2.0 and BlackByte. All countries had publicly condemned Russia at the UN for invading Ukraine, and some voted to suspend the country from the UN Human Rights Council. Further tying these ransomware attacks to Russia, we noted an uptick in initial access broker (IAB) services on major Russian-language dark web and special access forums like XSS and Exploit. They have been advertising low-cost, compromised network access methods specifically related to entities in Latin America. 

Among the organizations in the region targeted by threat actors was the secretary of state of finance in Rio de Janeiro, the municipality of Quito in Ecuador, the comptroller general of Peru, the Republic of Peru and Costa Rica. In Costa Rica, a national emergency was declared after the government branded a crippling attack an act of “cyber-terrorism.”

This represents a significant escalation in the severity of attacks targeting government organizations. Alongside K-12 education institutions, NGOs and healthcare organizations, governments have for a long time been off limits for ransomware affiliates keen to avoid stigmatization and the scrutiny of law enforcement. However, that stance appears to have shifted quite dramatically now, which could have implications for governments everywhere. If such groups now feel emboldened to target any nation critical of Russia, we could see a dramatic uptick in global incidents.

How Were They Hit?

Most of those organizations targeted in this first wave of Latin American attacks appear to have been hit after threat actors got hold of compromised credential pairs and session cookies. These are usually obtained via targeted infostealer infections through phishing attacks and sold by IABs. This highlights the relative immaturity of cybersecurity postures in the public and private sector in the region. However, credential phishing is a universal problem that could theoretically impact any organization regardless of security posture.

Latin American governments should, in the long term, look to education, training and apprenticeship programs to help build capacity, close the cyber-skills gap and get more individuals into the industry. But that’s only part of the picture. In the meantime, governments in the region and beyond should enhance resilience against ransomware through a series of best practice steps. These range from checking your incident response plan, validating that tools such as intrusion detection (IDS) and endpoint detection and response (EDR) operate as needed, and network segmentation, multi-factor authentication and improved patching. Monitoring for suspicious network activity can uncover covert attempts at lateral movement. Threat intelligence incorporating current ransomware indicators of compromise and ransomware-related hunting packages in combination with identity/credential monitoring can also get network defenders on the front foot.

If this is the new geopolitical reality, government CISOs everywhere should take note. Things have been pretty intense already this year, and they may escalate further.

What’s hot on Infosecurity Magazine?