Ransomware attack shutters Brazilian courts. But did attackers breach the virtual machine divide?

Six-day outage predicted as rebuild commences from untouched backups


Brazil’s Superior Tribunal de Justiça has temporarily shut down after a suspected ransomware attack.

The Tribunal (STJ) is second-highest of Brazil’s courts and is the highest court that decides on federal matters other than constitutional law. At the time of writing, the court’s website consists of nothing but a series of updates on the attack. Those notifications state that a virus attack was detected on November 3, when court networks were shut down as a precaution.

The most recent update says data scrambled by the ransomware related to legal proceedings, email, and administrative contracts. The statement says the data has been backed up and that work to restore systems is under way, with court business to resume on Monday November 9. Which will be more than welcome because hundreds of cases have been suspended due to the incident.

Guy pwning scrubs in video game on PC

Global heatmap of cheater density says Brazil is the worst at video games, but there's no data on China

READ MORE

Local media report Brazilian president Jair Bolsonaro saying the authorities have identified the culprits.

Brazilian tech news outlet CISO Advisor claims it has viewed an internal report on the incident that suggests it was a deliberate action by organised crime figures, possibly a collaboration between local and offshore players.

The outlet also says that virtual machines were encrypted and deleted, which is explosive as reaching guest VMs suggests a possible compromise of hypervisor security. And hypervisors' big selling point is that they completely isolate guests. An attack that encrypts guests would, theoretically, need to pick them off one by one.

The Register is aware of a similar-sounding case discussed in an October Reddit post alleging that ransomware reached shared storage that holds virtual machine files managed by VMware ESXi. We consulted VMware experts who cast doubt on that scenario as a viable ransomware vector. ®

Speaking of ransomware... Capcom was also hit by a data-encrypting nasty this week called Ragnar Locker, with the ransomware's extortionists apparently demanding millions of dollars for a key to restore the files and to not leak any exfiltrated info.


Biting the hand that feeds IT © 1998–2020