LockBit Ransomware Group Targets ApexBrasil in Major Cyber Attack

The ransomware group LockBit has claimed responsibility for a cyber attack on ApexBrasil, the Brazilian Trade and Investment Promotion Agency. The attack was announced on LockBit's dark web leak site, indicating a significant breach of the agency's data and systems.

About ApexBrasil

ApexBrasil, officially known as the Brazilian Trade and Investment Promotion Agency, was established in 1997. The agency operates as a non-profit entity under the supervision of Brazil's Federal Government and is linked to the Ministry of Foreign Affairs. ApexBrasil employs approximately 601 individuals and has an estimated annual revenue of around $100 million. The agency's primary mission is to promote Brazilian products and services internationally while attracting foreign direct investment (FDI) to strategic sectors of the Brazilian economy.

ApexBrasil supports over 15,000 Brazilian companies, primarily micro, small, and medium-sized enterprises, by organizing trade missions, business rounds, and international trade fair participation. The agency also provides market intelligence, training, and branding services to enhance the competitiveness of Brazilian businesses in global markets.

Details of the Attack

The ransomware attack on ApexBrasil was orchestrated by LockBit, a highly sophisticated ransomware-as-a-service (RaaS) group active since September 2019. LockBit is known for its modular ransomware that encrypts its payload until execution, using a combination of RSA-2048 and AES-256 encryption algorithms. The group employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid.

LockBit's attack on ApexBrasil underscores the persistent threat posed by ransomware groups and highlights the critical need for advanced cybersecurity measures. The breach has compromised the organization's data and systems, adding ApexBrasil to LockBit's growing list of high-profile targets.

LockBit Ransomware Group

LockBit has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. The group distinguishes itself through its sophisticated encryption techniques and high ransom demands, typically ranging from several thousand to several hundred thousand dollars. LockBit exploits vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network.

Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper. The ransomware accepts various command-line parameters to modify its behavior, such as spreading laterally via group policy or admin shares, rebooting into Safe Mode, and setting the wallpaper.

Potential Vulnerabilities

ApexBrasil's significant role in international trade and investment promotion makes it a prime target for ransomware groups like LockBit. The agency's extensive digital infrastructure, which supports over 15,000 companies, presents numerous potential entry points for cybercriminals. The attack on ApexBrasil highlights the importance of implementing advanced cybersecurity measures to protect against sophisticated ransomware threats.

Sources

• ApexBrasil - Wikipedia
• ApexBrasil - GRI Club
• Dark Web Profile: LockBit 3.0 Ransomware - SOCRadar
• Malware Analysis: LockBit 3.0 - TXOne Networks
• Ransomware Profile: LockBit 3.0 - Australian Cyber Security Centre