Brazil’s Superior Court of Justice was hit by a ransomware attack on Tuesday during judgment sessions, the attack forced a temporary shut down of the court’s information technology network.
“The Superior Court of Justice (STJ) announces that the court’s information technology network suffered a hacker attack, this Tuesday (3), during the afternoon, when the six group classes’ judgment sessions were taking place. The presidency of the court has already called the Federal Police to investigate the cyber attack.” announced STJ President Humberto Martins in an official statement on the Supreme Federal Court’s website.
The attack was discovered on November 3 and the IT staff shut down the court’s network to prevent the malware from spreading.
According to the announcement, the institution is going to restore its systems and court activities are expected to resume on November 9.
All judgment sessions, virtual and by video conference will be either suspended or canceled until the court network’s security will be restored, likely on November 9.
As a result of the attack, the websites of several Brazilian federal government agencies are also currently offline.
According to local media, Brazilian president Jair Bolsonaro announced that the authorities have identified the threat actors behind the attack.
Two days after the ransomware attack took place, the Superior Court of Justice systems are still offline.
Brazilian media outlet CISO Advisor claims it has viewed an internal report on the security breach incident that suggests the threat actor was a cybercrime organization financially motivated.
“An audio report by an IT official at the agency, to which the CISO Advisor had access, indicates that more than 1,200 servers, mostly virtual machines, have been encrypted. At this time, the STJ website remains down. Our report tried to contact the agency’s press office, but the contact information has even disappeared from Google’s cache.” reads the CISO Advisor.
“The report obtained by CISO Advisor says that the attack “was a planned coup; it is believed that it was something orchestrated and ordered perhaps even by some criminal organization such as PCC, Comando Vermelho or Família do Norte, together with international gangs that make cyber attacks, and receive for that and that may have used outsourced servers.”
The hackers infected thousands of systems, most of them are virtual machines that were encrypted and deleted.
One of the technicians at the court confirmed that attackers take over a Domain Admin account.
“It was basically a ransomware attack . A Domain Admin account was exploited which allowed the hacker to have access to our servers, to join the administration groups of the virtual environment and, finally, encrypt a good part of our virtual machines “.
The court’s IT department informed judges, interns, and outsourced workers that cannot use their computers if they were connected to the court’s network at the time of the attack
“According to the resolution, administrative, civil and criminal procedural deadlines are suspended from the 3rd to the 9th of November (inclusive), returning to flow on the 10th,” reads a statement on the court’s website.
“For the purpose of counting the term in criminal proceedings, the suspension period will be considered a reason of force majeure, according to the provision of paragraph 4 of article 798 of the Code of Criminal Procedure (CPP). Also according to the resolution, the measures can be reviewed at any time, depending on the result of efforts to normalize the systems.”
Bleeping Computer, after receiving a copy of the ransom that was found on the systems of the STJ, confirmed that the court was a victim of an attack launched by the RansomExx ransomware gang.
The RansomEXX is human-operated ransomware, this means that attackers manually infected the systems after gained access to the target network.
In June 2020, the same ransomware was employed in an attack on the Texas Department of Transportation, in August is infected systems at the multinational technology Konica Minolta, in September it infected the systems at the IPG Photonics high-performance laser developer and at the software provider Tyler Technologies.
(SecurityAffairs – hacking, ransomware)