BRAZIL

Threat Landscape Report 2024

Table of Contents
Executive Summary 3

Technical Details 5

Recent Dark Web Activities Targeting Brazilian Entities 7

Ransomware Attacks Targeting Brazilian Entities 9

Top Ransomware Groups Targeting Brazil 10

Recent Ransomware Attacks Targeting Brazilian Entities 11

Top Threat Actors Targeting Brazilian Organizations 13

Stealer Log Statistics: Top Domains in Brazil 16

Phishing Threats Targeting Brazil 18

DDoS Attack Statistics 21

Lessons Learned: Key Insights and Strategic Recommendations 22

socradar.io
 Executive Summary

As Latin America's largest economy and one of the most influential

global players, Brazil occupies a central role in regional economic
and geopolitical dynamics. Its diverse economy, which spans
agriculture, mining, technology, and finance, rapidly embraces digital
transformation. However, this growth comes with heightened
vulnerability to an expanding array of cyber threats.

Amidst intensifying geopolitical challenges and a fast-evolving cyber

landscape, Brazil has increasingly become a target for criminal and
state-backed cyber actors. Threat actors frequently seek to exploit
weaknesses in Brazil’s expanding digital infrastructure, with
particular emphasis on sectors such as finance, energy, and
government, where the potential for disruption and financial gain is
substantial.

Our findings point to a surge in ransomware attacks, data breaches,

and sophisticated phishing operations aimed at Brazilian
organizations. Notably, there has been a rise in activity linked to
Advanced Persistent Threat (APT) groups, often tied to
nation-states, targeting Brazil's critical infrastructure to extract
sensitive information or disrupt essential services.

The growing prominence of the Dark Web has also given

cybercriminals a platform to exchange tools, trade in stolen data, and
coordinate attacks with greater anonymity. This has contributed to
the increasing complexity of the threat environment, especially as
ransomware-as-a-service (RaaS) offerings enable even
inexperienced attackers to inflict significant damage on Brazilian
enterprises.

This report delivers an in-depth analysis of Brazil’s cyber threat

landscape, drawing on open-source intelligence and proprietary
research to assess the most pressing risks. It is intended to guide
decision-makers in both the public and private sectors, helping them
to refine their defensive strategies, reduce exposure to cyber risks,
and bolster the country’s resilience against increasingly
sophisticated cyber threats.

To access SOCRadar's 2023 Brazil report, click here.

socradar.io 3
 Top Takeaways

Dark Web Dynamics: In 2024, a diverse group of 91 threat actors

actively targeted Brazilian enterprises, posting 629 times on the
Dark Web. These activities predominantly revolved around the sale
of databases, emphasizing the critical need for robust data security
measures.

Dark Eyes on Public Administration: The public administration

sector accounted for 10.65% of the Dark Web activities, making it
the industry most targeted by global threat actors. This
underscores the sector's strategic significance and its susceptibility
to digital threats.

Ransomware Resurgence: Brazil faced 248 distinct ransomware

incidents throughout the year, with 166 attacks targeting the
country. This demonstrates a concentrated effort by cybercriminals
to exploit Brazilian entities.

Notorious Ransomware Syndicates: High-profile ransomware

groups like LockBit 3.0, Conti, and ALPHV BlackCat aggressively
targeted Brazil, reflecting the heightened sophistication and
severity of the country's cyber threat landscape.

Stealer Logs: The widespread use of Stealer Logs in 2024 resulted

in substantial data breaches, compromising sensitive information for
thousands of individuals across Brazil.

Phishing in the Digital Economy: 1,449 phishing attacks were

recorded during the year, primarily impacting the emerging
Information Services industry. This underscores the increasing
cyber risks facing this rapidly growing sector in Brazil.

Unprecedented DDoS Attacks: Brazil endured a record-breaking

Distributed Denial of Service (DDoS) attack involving 23 different
vectors, reaching a peak bandwidth of 4 Tbps. This occurred within
a broader context of 372,825 DDoS incidents, illustrating the
intensity and escalation of cyber assaults targeting the country.

socradar.io 4
 Technical Details

Dark Web Threats Targeting Brazilian Entities

Over the preceding year, SOCRadar's Dark Web Analysts diligently monitored
activities within the Dark Web, identifying notable trends and establishing
connections between Brazilian enterprises and covert threat actors.
Throughout 2024, Brazilian entities encountered a continuous barrage of cyber
threats, with various actors attempting to exploit successful intrusions by
trading or leveraging their gains in Dark Web forums.

SOCRadar observed 629 Dark Web forum posts linked to 91 distinct threat
actors during this period. Public Administration emerged as the most
prominently affected industry among the targeted industries, representing
10.65% of the identified cyber threats during this period. Following closely
behind, the Retail Trade and Information Services industries accounted for
9.45% and 7.95% respectively.

Industry Distribution of Dark Web Threats

Public Administration 10,65%

Retail Trade 9,54%
Information Services 7,95%
Electronic Shopping and Mail-Order Houses 7,31%
Finance and Insurance 6,20%
Other Services (except Public Administration) 4,61%
Professional, Scientific, and Technical Services 4,45%
Health Care and Social Assistance 3,82%
Educational Services 3,02%
Arts, Entertainment, and Recreation 2,54%

0,00% 2,00% 4,00% 6,00% 8,00% 10,00% 12,00%

socradar.io 5
 Distribution of Dark Web Threats by Post Type

Selling 27,19%

Sharing 21,30%

Hack Announcement 5,72%

Buying 0,32%

0,00% 5,00% 10,00% 15,00% 20,00% 25,00% 30,00%

Distribution of Dark Web Threats by Threat Type

Data/Database 33,64%
Access 13,12%
Website 4,25%
Admin Access 3,88%
RDP Access 2,59%
Sensitive Data 2,22%
Wordpress 1,48%
Network Access 1,48%
Credit Card 1,29%
VPN Access 1,11%

0,00% 15,00% 30,00%

socradar.io 6
 SOCRadar's Advanced Dark Web Monitoring provides Brazilian organizations
with critical insights into hidden threats targeting their sectors, including Public
Administration and Retail Trade, which have faced significant risks over the
past year. With real-time tracking of underground chatter and sensitive data
exposure, SOCRadar enables proactive defense against dark web threats.

Activate your free demo today to safeguard your organization’s most valuable
assets.

Recent Dark Web Activities Targeting Brazilian Entities

The Alleged Relations Work Data of Brazil is on Sale
21 Sep A hacker forum monitored by SOCRadar detected a new alleged sale of
2024 relations work data for Brazil. The database reportedly includes
563,409,111 records and is being offered for sale on the forum.

Screenshot of the forum post - Relations Work (Brazil 2024)

socradar.io 7
 The Alleged Data of Schadek Automotive is Leaked
22 Sep A new alleged data leak for Schadek Automotive was detected in a
2024 hacker forum monitored by SOCRadar. The leaked data includes
sensitive information such as projects, employee details, customer
data, financial information, and manufacturing designs.

Screenshot of the forum post - Schadek Automotive Company In Brazil

The Alleged Unauthorized Domain Admin Access

11 Sep Sales are Detected for Many Companies
2024 In a hacker forum monitored by SOCRadar, an unauthorized sale of
domain admin access was detected. The access allegedly belongs to
many companies operating in Brazil and Australia. It includes Domain
Admin RDP and DC.dump files, providing potential attackers with
privileged access to sensitive data and systems.

Screenshot of the forum post - Selling DA Accesses

socradar.io 8
 Ransomware Attacks Targeting Brazilian Entities
Ransomware attacks represent significant threats to
organizations, often resulting in dire consequences such as
extensive data loss and the exposure of sensitive information.
SOCRadar's surveillance has identified 248 instances of
ransomware victim notifications attributable to various
ransomware threat actors and/or groups.

Of the 248 ransomware attacks referenced, Brazil emerges as

the primary target in 166 cases, with the nation also featuring
among the most affected countries in the remaining 82 global
incidents.

Manufacturing emerges as the most prominently affected

sector among the targeted industries, representing 20.56% of
the identified ransomware attacks during this period.
Following this, the Information Services industry accounted
for 12.90% of the attacks, while the Professional, Scientific,
and Technical Services industry experienced 6.05% of the
ransomware incidents.

Distribution of Ransomware Attacks by Industry

Manufacturing 20,56%
Information Services 12,90%
Professional, Scientific, and Technical Services 6,05%
Health Care and Social Assistance 6,05%
Utilities 4,84%
Construction 4,44%
Public Administration 4,03%
Chemical Manufacturing (Chemical &
Pharmaceutical Manufacturing) 4,03%
Educational Services 4,03%
Automobile Dealers 3,23%
0,00% 5,00% 10,00% 15,00% 20,00% 25,00%

socradar.io 9
 Top Ransomware Groups Targeting Brazil
When examining the top ransomware groups targeting Brazil, LockBit 3.0
emerges as the most prolific threat, accounting for 27.42% of the attacks.
Following this, Conti represents 9.27% of the ransomware incidents. ALPHV
Blackcat accounts for 6.85%, while 8base accounts for 6.45%. Lastly, Revil
contributes to 4.84% of the ransomware activity in Brazil.
This analysis highlights the dominant presence of LockBit 3.0, followed by a
diverse range of other ransomware groups.

Top Ransomware Groups Targeting Brazil

4,84%

6,45%
LockBit 3.0
Conti
27,42% ALPHV Blackcat
6,85%
8base
Revil

9,27%

socradar.io 10
 Recent Ransomware Attacks Targeting Brazilian Entities
The New Ransomware Victim of LockBit 3.0:
05 Feb Tgestiona Logística
2024 On the LockBit 3.0 ransomware group website monitored by
SOCRadar, a new victim was allegedly announced as Tgestiona
Logística. The group has already uploaded some of the company's files
to its website and is threatening to publish the rest if the ransom is not
paid by February 22, 2024, as the payment deadline draws near.

Screenshot from Lockbit 3.0 ransomware group’s website

The New Ransomware Victim of Stormous: UFFS

18 Jan On the Stormous ransomware group website monitored by SOCRadar,
2024 a new ransomware victim was allegedly announced as UFFS / Federal
University of Fronteira Sul. The group offers exclusive access to a VPN
network that bypasses security barriers, providing access to the entire
network infrastructure, including critical servers and databases. It
employs advanced encryption techniques to secure communications
and ensure access remains undetected.

Screenshot from Stormous ransomware group’s website

socradar.io 11
 Hunters International Ransomware Group
22 Jan Leaked The Data of Alupar Investimento
2024 In the Hunters International ransomware group website monitored by
SOCRadar, new data leaks detected allegedly belong to Alupar
Investimento. The leaked data includes various files, such as bank
details, contracts, and social information, totaling 699.8 GB.

Screenshot from Hunters International ransomware group’s website

Explore SOCRadar’s Ransomware Intelligence module and gain comprehensive

insights with detailed group profiles, MITRE Visualizer, and actionable IOCs. These
insights will empower you to stay ahead of evolving threats and enhance your
cybersecurity strategy.

socradar.io 12
 Top Threat Actors Targeting Brazilian Organizations

Lockbit 3.0 Ransomware Group

-Ransomware Group-

LockBit Motivation: Financial Gain

Target United States, United Kingdom,

Countries: Canada, Europe, Thailand,
Taiwan

Target Manufacturing, Professional

Sectors: Services, IT, Healthcare,
Finance, Education, Legal
Services

Attack Type: Phishing, RDP and VPN access

Country of Origin: Russia
Exploitation, Ransomware, Data
-TTPs- Exfiltration, Double-extortion
The most successful RaaS
group operating since 2019. Exploit Public-Facing Application: T1190
The group is continuously
evolving and is highly active Remote Desktop Protocol: T1021.001
in deploying models such as
double-extortion and initial Data Encrypted for Impact: T1486
access broker affiliates.

LockBit 3.0, a successor to LockBit and LockBit 2.0, operates as a

Ransomware-as-a-Service (RaaS) group. Since January 2020, LockBit has
shifted to an affiliate-based model, employing various tactics to target
businesses and critical infrastructure organizations. They are known for
employing strategies like double extortion and initial access broker
affiliates, recruiting insiders, and hosting hacker recruitment contests.

With over 1,500 victim announcements on the SOCRadar platform, LockBit

emerged as the most active ransomware group in 2022 following Conti's
shutdown. As of the first quarter of 2023, they remain the most prolific
group, boasting over 300 announced victims.

You can visit our blog post for more detailed Lockbit 3.0 Ransomware
Group information.

socradar.io 13
 Conti Ransomware Group

Conti is one of the most notorious ransomware groups responsible for

hundreds of attacks globally. The group operates as a
Ransomware-as-a-Service (RaaS), which allows affiliates to use Conti’s
ransomware in exchange for a share of the profits. Conti is known for its
highly sophisticated attacks, which leverage double extortion
techniques—encrypting data and threatening to leak sensitive information
if the ransom is not paid.

The Conti group was also linked to several high-profile attacks, including
incidents targeting critical infrastructure and healthcare organizations.
Their aggressive tactics and willingness to target essential services have
made them one of the most disruptive ransomware groups in recent years.

You can visit our blog post for more detailed information about the Conti
Ransomware Group.

socradar.io 14
 ALPHV Blackcat Ransomware Group

-Ransomware Group-

BlackCat
Ransomware Motivation: Financial Gain

Target United States, United Kingdom,

Countries: Canada, Germany, Australia,
France, Italy, Spain

Target Professional Services,

Sectors: Manufacturing, Healthcare,
Finance, Information
Technology

Attack Type: Spearphishing, Stolen

Country of Origin: Russia
Credentials, RaaS, Ransomware,
-TTPs- Triple-Extortion
BlackCat, or ALPHV, is a
ransomware group known for User Execution: Malicious File: T1204.002
being the pioneer to use Rust
and the group first announced Defacement: T1491
its RaaS affiliate program in
a dark web forum in December Data Encrypted for Impact: T1486
2021.

BlackCat, or ALPHV, is a ransomware group known for being the first to

successfully use Rust—a cross-platform programming language that allows
for easy malware customization for different operating systems, such as
Windows and Linux. The group has been able to evade detection and
successfully encrypt their victims’ files by using Rust, which allows them to
target multiple operating systems and bypass security controls not
designed to analyze malware written in Rust.

You can visit our blog post for more detailed information about the
ALPHV BlackCat Ransomware Group.

SOCRadar enhances
cybersecurity measures
with its Threat Actor
Intelligence module,
which features advanced
Threat Actor Tracking
capabilities for
organizations that want
to stay ahead of cyber
threats in real-time.

socradar.io 15
 Stealer Log Statistics: Top Domains in Brazil

Throughout 2024, thousands of users' user IDs/email addresses, passwords,

credit card data, password hashes, and victim IP address information were
compromised via Stealer Logs from the computers of users with accounts or
access to some of the highest traffic domains in Brazil.

The table below lists the domains that receive the highest traffic from Brazil.

uol.com.br
globo.com
tudocelular.com
gov.br
mercadolivre.com.br
terra.com.br
caixa.gov.br
metropoles.com
acesso.gov.br
cnnbrasil.com.br

socradar.io 16
 Stealer Logs- Compromise Data

Email / Password 3.228

Password Hash 1096

Credit Card Data 771

Victim IP 124

0 500 1.000 1.500 2.000 2.500 3.000 3.500

The data reveals significant dissemination of compromised information, including

3,228 email/password combinations, 1,096 password hashes, 771 credit card data
entries, and 124 compromised victim IPs, each representing significant instances of
compromise.

These discoveries emphasize the gravity of data compromises that impact users,
highlighting the urgent need for robust cybersecurity protocols to mitigate such risks
efficiently.

SOCRadar’s Identity & Access Intelligence Module can detect stealers on your
devices and identify their location, facilitating a secure working environment.
Changing passwords without eliminating stealers is insufficient to secure your
organization, as it will only provide new passwords to threat actors.

socradar.io 17
 Phishing Threats Targeting Brazil
Phishing is an effective method to initially breach an organization's
infrastructure by deceiving individuals into divulging sensitive credentials on
fraudulent websites.

Typically, phishing attacks are coupled with social engineering tactics to

acquire such credentials. Over the past year, Brazilian enterprises have
encountered 1,449 distinct instances of phishing attacks, primarily
targeting the Information Services industry.

Phishing Attacks - Distribution by Industry

Information Services 20,56%

Public Administration 20,09%
Banking 17,76%
Finance 8,88%
Telecommunications 6,07%
Delivery Services 4,67%
National Security&International Affairs 4,67%
Accommodation&Food Services 4,67%
Arts & Entertainment 3,74%
Automotive 2,80%
0,00% 5,00% 10,00% 15,00% 20,00% 25,00%

With SOCRadar’s AI-powered Phishing Domain Detection module, you can swiftly
identify malicious domains and protect your brand from phishing threats. Start
safeguarding your digital presence today with SOCRadar— request a free demo
and see the platform in action.

socradar.io 18
 The graph below illustrates the distribution of Page Titles used by threat
actors for phishing attacks. Notably, the data reveals a predominant usage of
the Aliança Administradora de Condomínios page title.

Phishing Attacks - Distribution by Phishing Page Title

Aliança Administradora de Condomínios 9,25%

Not Acceptable! 4,14%

POUCAS UNIDADES – COMBO MAKITA – KIT 18
PEÇAS (VÁLIDO ATÉ DOMINGO) #2 – Magazine Luiza 1,38%
| Pra você é magalu
Account Suspended 1,04%

Cartões Renner 0,83%

Chase Online 0,83%

Magazine Luiza | Pra você é magalu 0,83%

Netflix 0,76%

Account Suspended 0,55%

WhatsApp Web 0,55%

0,00% 2,50% 5,00% 7,50% 10,00%

socradar.io 19
 When closely examining the SSL/TLS protocols of domains prepared for
phishing attacks by threat actors, we observe an increasing trend in the
usage of HTTPS compared to the past.

Phishing Attacks- Distribution by SSL/TLS Protocol

HTTP
46,51%
HTTPS
53,49%

socradar.io 20
 DDoS Attack Statistics
Brazil experienced a dynamic DDoS threat landscape marked by considerable
cyber activity in 2024.

• The most extensive multivector DDoS attack recorded encompassed 23

vectors, featuring prevalent techniques such as DNS Amplification and
ICMP attacks.

• The maximum bandwidth observed during a DDoS attack reached 4 Tbps

(peak aggregate bandwidth in one minute), indicating the severe capacity
of these cyber threats.

• The highest recorded throughput during these incidents was 350.00 Mpps
(peak aggregate throughput in one minute), underscoring the intense rate
at which data packets were sent.

• On average, each DDoS attack lasted for 51.85 minutes, indicating a

strategy aimed at prolonged and effective service disruption.

• 372,825 DDoS attacks were recorded throughout the year, illustrating a

high frequency of cyber-attacks aimed at targets in Brazil.

Attack Vector Number of Attacks in 2023

TCP ACK 134,878

DNS Amplification 96,660
TCP SYN/ACK 83,769
TCP Reset 74,236
ICMP 65,442

The ongoing evolution of DDoS tactics underscores the importance of

implementing stringent monitoring and resilient defense mechanisms to safeguard
essential infrastructures and ensure uninterrupted service delivery.

Enhance your DDoS defense with SOCRadar's DoS Resilience Free Tool, a
sophisticated tool designed to assess and fortify your infrastructure's resilience to
DoS attacks.

socradar.io 21
 Lessons Learned: Key Insights and
Strategic Recommendations

Upon examining the cybersecurity threats facing organizations in Brazil, several

critical lessons and recommendations have emerged. These insights, enhanced by
SOCRadar's capabilities, provide a strategic roadmap to bolster cyber resilience
and safeguard operational integrity. Here are the key takeaways from our analysis:

Vigilance in an Evolving Cyber Threat Landscape

The dynamic nature of the cyber threat landscape, marked by an increase in Dark
Web activities and ransomware incidents related to Brazil, demands constant
vigilance.

Organizations must keep pace with these changes by adapting their security
strategies. By adopting a proactive approach like SOCRadar’s Extended Threat
Intelligence solution, organizations can gain real-time insights into emerging
threats, positioning them to counteract cyber adversaries proactively.

Implementation of Multi-layered Security Measures

Given the broad spectrum of industries targeted by cyber threats, it is essential to

implement multi-layered security defenses. SOCRadar supports these efforts with
its proactive Threat Intelligence and Advanced Dark Web Monitoring services,
ensuring comprehensive protection.

Consistent Guard Against Ransomware

The persistent ransomware threat underscores the need for defensive, solid, and
responsive strategies. SOCRadar’s Attack Surface Management capabilities are
crucial for businesses to identify potential ransomware threats and to formulate
effective countermeasures.

Continuous Employee Education and Training

The ongoing risk of phishing attacks makes continuous employee education and
training imperative. Enhancing their ability to recognize phishing tactics and
detection methods is vital.

SOCRadar's Digital Risk Protection suite provides comprehensive VIP Protection

and Brand Protection services, effectively addressing the challenges posed by
identity-based attacks.

socradar.io 22
 Robust Defenses Against Stealer Malware

Brazil is frequently targeted by Stealer malware, so strengthening defenses

against this malicious software is crucial.

SOCRadar’s Identity & Access Intelligence module is vital in detecting and

mitigating data breach threats, enhancing an organization’s security framework.

Strategies Against DDoS Attacks

As DDoS attacks become more complex and voluminous, organizations must

prioritize implementing robust DDoS mitigation strategies. This involves
deploying advanced DDoS protection technologies that absorb high-volume
traffic and effectively mitigate multi-vector attack strategies.

Enhance your DDoS defense with SOCRadar's DoS Resilience Free Tool, a
sophisticated tool designed to assess and fortify your infrastructure's resilience
to DoS attacks. Leveraging state-of-the-art AI and cloud technologies, this
module provides a crucial layer of protection for global organizations.

SOCRadar’s Recommendations: Proactive Strategies for Threat Detection,

Dark Web Monitoring, and Brand Protection

• Adopting a proactive and comprehensive cybersecurity approach is crucial

for Brazil's organizations.

• Partnering with advanced solutions like SOCRadar enhances defenses and

helps navigate the evolving cyber threat landscape.

• Building a culture of risk awareness and implementing proactive mitigation

strategies fortifies defenses against dynamic threats.

• Utilizing Cyber Threat Intelligence (CTI) empowers teams to respond to

immediate threats and confidently prepare for future challenges.

• Collaboration among cybersecurity professionals, supported by robust CTI

frameworks, is essential for safeguarding digital assets and maintaining
organizational resilience against cyber threats.

socradar.io 23
 Who is Your Eyes Beyond
?
SOCRadar provides Extended Threat Intelligence (XTI) that
combines: "Cyber Threat Intelligence, Brand Protection, External Trusted by
Attack Surface Management, and Dark Web Radar Services." 21.000+ companies
SOCRadar provides the actionable and timely intelligence context in 150+ countries
you need to manage the risks in the transformation era.

Dark Web Monitoring: SOCRadar's fusion of Protecting Customers’ PII: Scan millions of
its unique Dark Web recon technology with the data points on the surface, deep and Dark
human analyst eye further provides in-depth Web to accurately identify the leakage of your
insights into financially-targeted APT groups customers' Personally Identifiable Information
and the threat landscape. (PII) in compliance with regulations.

Credit Card Monitoring: Enhance your fraud 360-Degree Visibility: Achieve digital
detection mechanisms with automation speed resilience by maintaining internet-facing
by identifying stolen credit card data on digital asset inventory. Significantly accelerate
popular global black markets, carding forums, this process by automated discovery,
social channels, and chatters. mapping, and continuous asset monitoring.

GET ACCESS FOR FREE

START YOUR PERSONALIZED DEMO

Discover SOCRadar’s powerful tools and easy-to-use interface to enhance cyber
threat intelligence efforts. Schedule a demo with our experts to see it in action, and
we’ll show you what SOCRadar can do.