Data and privacy

The day ransomware nearly stole thousands of young people’s data in São Paulo

They help young people overcome a criminal past, but São Paulo’s 121 youth justice centers, Fundação CASA, must also battle cybercrime.

Share article

ransomware brazil, computer screen with code

There’s an awesome purpose behind São Paulo, Brazil’s 121 youth justice centers, Fundação CASA: Every day, they work with teenagers who have committed offenses and been given a court-ordered chance to learn to change their ways.

But with 5,000 teenagers accessing a network of some 10,000 devices, Fundação CASA’s information security and cybernetics team must manage a tinderbox of cybersecurity risk daily.

24 hours to escape a ransomware attack is the latest film in Tomorrow Unlocked‘s hacker:HUNTER Behind the Screens series. Fundação CASA’s cybercrime fighters tell how they foiled a ransomware attack in a day, successfully safeguarding their young clients’ personal data. There’s much any organization or business can learn from their winning formula.

Young people sentenced to learning

When young people commit a criminal offense in São Paulo, the courts may sentence them to rehabilitation through learning how to escape criminal behavior patterns. That’s where Fundação CASA comes in: They deliver that education on behalf of the Department of Justice and Citizenship.

Meanwhile, the private data of the 5,000 teens who attend one of Fundação CASA’s 121 centers must be kept secure.

Julio Signorini has worked for Fundação CASA for over 20 years. He says, “As they’re taught by the state, the teens’ data comes under the Child and Adolescent Statute (ECA.) There’s always a risk their data may be leaked.”

What is ransomware?

There are many ways the young people’s data could be leaked, including deliberate cyberattacks. Julio says, “A constant threat for us is ransomware: Malicious software that encrypts your data and demands you pay to recover it.”

To spread ransomware, attackers use social engineering to find users’ vulnerabilities.

Something familiar – like an email from a contact in their contact list or advertisements – persuades that person to click a link, downloading malware to their device.

Then the malware can spread across the network, eventually encrypting files and demanding a ransom.

Ransomware is a growing threat. Kaspersky software detected over 21,000 ransomware strains and saw attacks rise 63 percent between 2021 and 2022 as a proportion of total attacks.

Rapid response foils attack

Julio explains how Fundação CASA’s most recent ransomware incident began. “A young person brought in a compromised USB flash drive from home.”

Alex Christy Rogatti, Fundação CASA’s Head of Security, remembers the day well. “It was a tense time because it was our first experience with ransomware, but we addressed it in one day.”

Julio says their fast response started with their young client’s good decision to report something unusual. “The young person noticed his device behaving strangely and contacted our service desk, who quickly escalated the case to our information security and cybernetics team.”

Alex explains what happened next: “We isolated the infected device and recovered encrypted data on that device and our network. We isolated the malware so it couldn’t spread further.”

Should you pay the ransom?

Not every organization responds so fast and effectively as Fundação CASA. Proving there’s no low cybercriminals won’t sink to, 2023 saw some particularly vicious ransomware attacks, like a ransomware gang breaching Lehigh Valley Health Network in Pennsylvania, US, then leaking stolen photos and personal details of breast cancer patients.

It’s the severity of cases like these that tempts some victims of ransomware to pay their captors. Fundação CASA’s Chief Information Security Officer (CISO) Odenilson Dos Santos Bonfim says, “Paying the ransom should be the last option. First, there’s no guarantee they’ll let you unencrypt your data when you pay. Second, paying the ransom encourages more ransomware. Third, you’d share financial information they may use in a scam or financial crime in future.”

To help ransomware victims and deter these kinds of attacks, Kaspersky is a found partner of the No More Ransom initiative. It offers free ransomware decryption tools and advice on how to prevent and deal with ransomware attacks.

Reducing business vulnerability to ransomware

Odenilson thinks there’s much business can do to prevent more cyberattacks of all kinds.

Cybercriminals often exploit system vulnerabilities, like outdated systems. They also use malicious websites to inject corrupt information or files giving access to the user’s machine.

Odenilson Dos Santos Bonfim, Chief Information Security Officer (CISO,) Fundação CASA

“We maintain an always up-to-date environment, with effective solutions for monitoring data and preventing any type of attack.”

That a user first raised the alarm about this attack shows the importance of a cyber-aware organizational culture. Odenilson says, “It’s fundamental to encourage awareness, good market practices and publicize information security and cybersecurity information to your whole team and organization.”

How the ransomware attack on Fundação CASA was stopped echoes the importance of their work showing young people alternatives to a life of crime. By doing the right thing thanks to knowing what to do, one young person kickstarted the process that safeguarded their peers’ precious personal data. The quick thinking and coordinated action of the service desk and information security and cybernetics teams shows how strong relationships make strong cybersecurity.

Cybersecurity for small-to-medium businesses

Focus on your business – leave the cybersecurity to us.

About authors

Suraya Casey is a freelance writer, editor and content strategist based in New Zealand. Her interests include cybersecurity, technology, climate, transport, healthcare and accessibility.