# Brazil's court system under massive RansomExx ransomware attack **[bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/](https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/)** Sergiu Gatlan By [Sergiu Gatlan](https://www.bleepingcomputer.com/author/sergiu-gatlan/) November 5, 2020 04:09 PM 1 Brazil's Superior Court of Justice was hit by a ransomware attack on Tuesday during judgment sessions that were taking place over video conference. "The Superior Court of Justice (STJ) announces that the court's information technology network suffered a hacker attack on Tuesday (3), during the afternoon, when the six group [classes' judgment sessions took place," STJ President Humberto Martins said in an official](http://www.stf.jus.br/portal/cms/verNoticiaDetalhe.asp?idConteudo=454634) statement on the Supreme Federal Court's website. "The Secretariat for Information and Communication Technology (STI) is working on systems recovery to restore all court services as quickly as possible." However, it is not yet known if they were attacked by the same threat actors or if they are hosted on the same site as the courts. ----- ## Systems offline two days later The systems of the Superior Tribunal de Justiça (aka STJ) were shut down to stop the spread throughout the court's network but not before all case files and backups were encrypted according to STJ IT specialists. Two days after the ransomware attack took place, the Superior Court of Justice website and systems are still offline until all systems will be fully restored. "A Domain Admin account was exploited which allowed the hacker to have access to our servers, to enter into administration groups of the virtual environment and, finally, encrypt a [good part of our virtual machines," as one of the IT technicians told O Bastidor.](https://obastidor.com.br/justica/hacker-usou-tecnica-simples-para-invadir-stj-21) STJ "will operate on duty until next Monday," November 9, and all judgment sessions, virtual and / or by video conference will be either suspended or canceled until the court network's security will be restored. The court's IT department also advised all users including judges, interns, and outsourced workers not to use any computers (personal ones included) if they were or are still connected to the court's network. If you have first-hand information about this or other unreported cyberattacks, you can [confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.](http://10.10.0.46/tel:+16469613731) "According to the resolution, administrative, civil and criminal procedural deadlines are suspended from the 3rd to the 9th of November (inclusive), returning to flow on the 10th," a statement on the court's website [said.](https://webcache.googleusercontent.com/search?q=cache:0tFtGP0-fA8J:https://www.stj.jus.br/+&cd=1&hl=en&ct=clnk&gl=ro) "For the purpose of counting the term in criminal proceedings, the suspension period will be considered a reason of force majeure, according to the provision of paragraph 4 of article 798 of the Code of Criminal Procedure (CPP). Also according to the resolution, the measures can be reviewed at any time, depending on the result of efforts to normalize the systems." ## RansomExx behind the attack While the official STJ statements do not mention the ransomware gang responsible for this attack, a ransom note recovered from one of the encrypted computers shows that the RansomExx gang was behind it. RansomExx sent BleepingComputer the following message when contacted for more details regarding the attack: ----- ``` Hello, Ignore this message if you aren't officially represent whole affected company. Send us any encrypted file (not greater than 1MB) for test decryption. Then we will send you detailed instructions. This step is necessary because we don't share such information for anyone except authorized persons. Speak english. ``` According to an anonymous source, Pernambuco State Court of Justice (Tribunal de Justiça do Estado de Pernambuco — TJPE) systems were also hit by RansomExx on October 27, with their files being encrypted using the .tjpe911 extension. [RansomExx is a rebranded Defray777 ransomware version that became a lot more](https://www.bleepingcomputer.com/tag/ransomexx/) active during June 2020 and known for attacking high-profile organizations. **STJ ransom note** The [Texas Department of Transportation (TxDOT),](https://www.bleepingcomputer.com/news/security/ransomware-attack-impacts-texas-department-of-transportation/) [Konica Minolta,](https://www.bleepingcomputer.com/news/security/business-technology-giant-konica-minolta-hit-by-new-ransomware/) [IPG Photonics, and](https://www.bleepingcomputer.com/news/security/leading-us-laser-developer-ipg-photonics-hit-with-ransomware/) [Tyler Technologies are among the gang's previous victims.](https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/) During their attacks, RansomExx's operators compromise the victims' networks and steal unencrypted sensitive documents while spreading laterally to other systems. Once the RansomExx operators successfully compromise the victims' Windows domain controller, they deploy the ransomware payloads on all available network devices. _This is a developing story ..._ _H/T Altieres_ ### Related Articles: [Luxury fashion house Zegna confirms August ransomware attack](https://www.bleepingcomputer.com/news/security/luxury-fashion-house-zegna-confirms-august-ransomware-attack/) ----- [BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state](https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [Brazil](https://www.bleepingcomputer.com/tag/brazil/) [RansomEXX](https://www.bleepingcomputer.com/tag/ransomexx/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Sergiu Gatlan](https://www.bleepingcomputer.com/author/sergiu-gatlan/) Sergiu Gatlan is a reporter who covered cybersecurity, technology, Apple, Google, and a few other topics at Softpedia for more than a decade. Email or Twitter DMs for tips. [Previous Article](https://www.bleepingcomputer.com/news/security/apple-patches-three-actively-exploited-ios-zero-days/) [Next Article](https://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/) ### Comments [TinhoLZNSP - 1 year ago](https://www.bleepingcomputer.com/forums/u/1182444/tinholznsp/) I am Brazilian and I heard in the news that the Supreme Court was about hacker attacks, but it was reported very sparingly, now reading on BleeepinComputer I saw that the thing is serious. Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----