Skip to main content

Cybercriminal groups are highly likely to target state institutions in the Americas (excluding the US and Canada) with ransomware in 2024

This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 10 January 2023.

  • There have been several disruptive ransomware attacks against such institutions in the region in recent years
  • Criminal groups will very probably continue to opportunistically target commercial sectors there, especially retail, finance and manufacturing

Cybercriminal groups are highly likely to pose a disruptive threat to government and commercial entities in the Americas (excluding the US and Canada) in 2024. In the last year, there have been several high-profile cyber incidents disrupting government networks and services in the region. While ransomware is a pressing threat globally, governments in these regions in particular have struggled to mitigate the effects of such attacks. This will probably be a consistent trend in the coming years as weak cybersecurity measures in the region continue to lag behind the ransomware threat.

Governments seen as vulnerable targets

Ransomware groups appear to view governments in Latin America and the Caribbean as both vulnerable and attractive targets. Such groups are largely opportunistic but also appear to prioritise entities, such as government agencies, that they view as more willing to pay ransoms to restore encrypted data and systems. Governments in the Caribbean in particular have been frequently targeted by criminal ransomware groups in recent months. And there have been at least six such incidents affecting government services in 2023. These include:

  • A ransomware attack on Trinidad and Tobago’s National Insurance Board, which said that an unconfirmed group targeted it on 26 December, prompting it to close its offices for several days
  • A ransomware attack, seemingly by the RansomHouse group, on a US technology provider in September affected Colombian state institutions which used the US firm’s technology for some services. A senior government official described it as ‘the largest [cyberattack] in Colombia in recent years’
  • Also in September, a suspected ransomware group targeted multiple government services in Bermuda and another unconfirmed country, reportedly disrupting some state services for several weeks

Regional governments have also increasingly considered criminal ransomware groups as a pressing threat to national security in recent years. This is not only due to the consequences of such attacks on the functioning of state institutions, but also the knock-on risks. In Costa Rica, two ransomware attacks on government agencies in 2022 paralysed IT systems and prompted the government to declare an ongoing state of emergency. It reportedly was unable to pay tens of thousands of public employees, prompting some workers to call for protests outside the Presidential Palace in San Jose.

Based on past incidents in the region, successful ransomware attacks on government agencies would be likely to disrupt public services in the coming year. These incidents suggest this would include delays in appointments or processing of documents. But the disruption of key financial or tax services would probably also affect trade, as it did in Costa Rica in 2022.

Latin American firms a focus for some ransomware groups

Although cybercriminal groups target companies globally, they have opportunistically hit those in the Americas. And some sectors appear either more vulnerable or attractive to ransomware groups. The majority of reported ransomware attacks in the region have targeted the retail, financial and manufacturing sectors in recent years, according to IBM’s annual Threat Intelligence Index reports. It said that retail and wholesale accounted for 28% of cases in 2022. Companies in the region (but more commonly in the US and Europe) have also been affected by cybercriminal attacks exploiting high-profile software vulnerabilities, as was the case in 2023.

Some groups still seem to focus on firms in the Americas. Cyber industry outlets have recently reported that the Paraguayan military issued a now-deleted alert to companies of ransomware attacks by the BlackHunt group, following an attack this month against a major internet service provider there that had a ‘direct impact on more than 300 companies’. BlackHunt attackers have reportedly often targeted companies in South America. Based on data from multiple cybersecurity firms, organisations in Brazil, Mexico and Colombia are among the most frequently targeted countries by ransomware in the Americas, not including the US and Canada.

Ideologically motivated groups still a threat

Governments and extractive firms in the Americas are also very likely to be attractive targets for ideologically motivated groups, mainly environmental hacktivists, in 2024. One such group, ‘Guacamaya’, conducted hack-and-leak campaigns against state institutions and extractive firms including in Colombia, Peru and Mexico in 2022. And hacktivist groups ‘SiegedSec’ and ‘GhostSec’ claimed to have leaked Colombian military data last year, seemingly in response to what they alleged to be government corruption. Hacktivists are likely to conduct similar data-compromising operations in 2024, given ongoing extraction activities in several countries in the region.

Governments lack resilience

Many governments will seem to lack the ability to mitigate against, and respond to, ransomware attacks. The region has the weakest cybersecurity measures globally, according to the Global Cybersecurity Index 2020; cybersecurity does not appear to be a priority for many governments there. Despite attempts by several governments to improve their preparedness, notably Colombia and Costa Rica, progress will probably be slow and trail behind the ransomware threat in the coming years. Many countries’ national infrastructure and organisations also appear to rely on outdated and legacy systems.

Image: An official from the Costa Rican Social Security Fund (CCSS) works without her computer following a cyber attack against the entity, in San Jose, on 31 May 2022. Photo by Ezequiel BECERRA / AFP via Getty Images.