Brazil Superior Court (STJ) RansomExx attack
The RansomExx gang encrypted more than 1,000 servers at Brazil's Superior Tribunal de Justiça, paralysing the country's second-highest court for over a week in the most severe cyberattack ever against a Brazilian public institution.
- Victim
- Superior Tribunal de Justiça (STJ)
On 3 November 2020, during live judgment sessions, the Superior Tribunal de Justiça (STJ) — Brazil's highest court for non-constitutional federal matters — was hit by the RansomExx ransomware in what officials called the most severe cyberattack ever carried out against a Brazilian public institution.
What happened
The ransomware detonated mid-afternoon. To stop the encryption from spreading across the network, the court's IT team shut down every system, including email and telephony. According to an STJ technician, the attackers had compromised a Domain Admin account, which let them reach the administration groups of the court's virtualised environment and encrypt more than 1,000 virtual machines — the bulk of the court's infrastructure — along with reachable backups.
RansomExx (also tracked as Defray777) left a ransom note inviting the victim to send an encrypted file for "test decryption" before receiving instructions. The court did not disclose any ransom demand amount and there is no public evidence that a ransom was paid.
Impact
- The STJ was effectively paralysed for over a week. Judicial deadlines and sessions were suspended, and the electronic case-management portal — through which Brazilian litigation flows — was unavailable.
- More than 1,200 servers, mostly virtual machines, were affected.
- The incident disrupted the work of thousands of judges, clerks and lawyers nationwide and froze a large volume of pending cases.
Response
Recovery was led by the STJ's IT department with assistance from the Federal Police, the Brazilian Army's cyber-intelligence unit, and Microsoft. Critically, the court was able to restore case files and systems from backups, and on 19 November the STJ president confirmed that no case data had been permanently lost. The Supreme Federal Court (STF) ordered the creation of a committee to harden the wider judiciary against future attacks.
Why it matters
The STJ attack was a watershed for the Brazilian public sector. It demonstrated how a single over-privileged administrator account can hand an entire virtualised data centre to a ransomware crew, and how dependent a modern judiciary has become on uninterrupted IT. It accelerated investment in segmented administration, managed privileged access, and resilient offline backups across Brazil's federal institutions, and remains the reference case in national discussions of critical-infrastructure cyber-resilience.
Timeline
RansomExx ransomware detonates mid-afternoon during judgment sessions; the STJ shuts down systems to contain the spread.
Attackers leverage a compromised Domain Admin account to reach the virtual infrastructure and encrypt the bulk of the court's virtual machines.
The STJ suspends judicial deadlines and sessions; email, telephony and case-management systems remain offline.
Recovery work continues with help from the Federal Police, the Army's intelligence sector and Microsoft; backups are restored.
The STJ begins bringing core systems and the electronic case portal back online.
STJ president confirms data was recovered from backups and no case files were permanently lost.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/
- theregister.comhttps://www.theregister.com/2020/11/06/brazil_court_ransomware/
- stj.jus.brhttps://www.stj.jus.br/sites/portalp/Paginas/Comunicacao/Noticias/19112020-Comunicado-da-Presidencia-do-STJ.aspx
- pt.wikipedia.orghttps://pt.wikipedia.org/wiki/Ataque_cibern%C3%A9tico_ao_Superior_Tribunal_de_Justi%C3%A7a