A notorious ransomware gang claims to have stolen sensitive data, including passports and contracts, from one of Brazil’s biggest auto dealerships. They want $1 million to keep it quiet.
The Russia-linked ransomware gang dropped a note on their dark web leak site claiming to have stolen data from a renowned Brazilian auto dealership named Carrera. Publishing such a warning on the dark web sites is a common tactic to pressure the victims to pay a ransom.
Headquartered in São Paulo, the company specializes in the sale of new, semi-new, and used vehicles from various car brands such as Chevrolet, Volkswagen, and Nissan. It also provides financing simulations and offers services such as vehicle maintenance, accessories, and insurance.
“With just seven days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data. Open your wallets and be ready to buy exclusive data,” the gang wrote in typical fashion, giving the company time until June 1st to pay a huge ransom demand of around $1 million (10 BTC).
“We sell only to one hand, no reselling, you will be the only owner!” the note added.
What data has allegedly been stolen?
While the threat actors do not specify the scope of the breach, the post includes two images of stolen data, which seem to include copies of passports, IDs, possibly driver's licenses, and contracts.
A huge ransom demand usually means the gang knows it’s sitting on valuable data that hurts to lose and could hurt even more if leaked. If proven to be true, the ransomware attack could cost the company dearly.
“They’ll need to allocate additional resources to notify legal authorities about the breach, followed by contacting affected customers. Then, they could face fines of up to 2% of their revenue, which, in their case, could reach almost $3 million,”
said Cybernews researchers.
While it is likely that passport copies have been exfiltrated, this could lead to identity theft and fraud. Affected customers may also choose to sue the company for damages.
“Beyond financial penalties, the company is also likely to suffer reputational damage, which can result in lost customer trust, and it might impact business performance,” our researchers added.
Cybernews reached out to the company, but a response has yet to be received.
What is Rhysida ransomware?
The Rhysida group is known for double extortion tactics, meaning that hackers not only lock up data with ransomware, but also threaten to leak it unless the company pays.
The gang is known for going after “targets of opportunity” and has infiltrated various sectors, including education, healthcare, manufacturing, and local governments, according to an updated US Defense Department profile on the gang from last November.
According to Cybernews' dark web monitoring tool Ransomlooker, the gang has claimed more than 202 victims on its dark blog since its inception in May 2023.
Just this month, the gang claimed to have attacked Peru's government systems. The official government website handles the National Identification Registry, including passport, taxpayer, health insurance, police, labor, and more. The Peruvian government denied the ransomware attack.
Back in January, the Rhysida gang claimed it had cracked into the servers of Montreal-Nord, a borough in Quebec province, and slapped them with a $1 million ransom demand.
In the last quarter of 2024, Rhysida also made headlines targeting the Seattle-Tacoma International Airport with a 100 BTC ransom demand. The attack wrecked critical systems and triggered a multi-week outage that brought one of the West Coast’s busiest hubs to its knees. Airlines like Delta, Singapore, and Alaska were reportedly forced to go full analog and issue handwritten boarding passes.
Other previous alleged victims include the Washington Times, the UK’s National British Library, the Anne & Robert H. Lurie Children’s Hospital in Chicago, and the Prospect Medical Group network of US hospitals and healthcare facilities.
In 2024, a research team from the Korea Internet & Security Agency (KISA) was able to crack the gang’s encryption code and shared a free Rhysida Decryption Tool and manual on its website.
Your email address will not be published. Required fields are markedmarked