Ransomware Gang Warns of Data Leak Impacting Paraguayan Citizens

A notorious data-leak extortion group, identified as Brigada Cyber PMC, is demanding a ransom of $7.4 million from Paraguay’s government. This amount equates to $1 for each citizen in the country, underscoring the massive scale of the breach.

The group recently announced on its dark web platform that it had compromised sensitive data belonging to 7.2 million Paraguayan nationals from multiple government systems, including a civil registry that tracks registered voters. The attackers have set a deadline for the ransom payment, threatening to release the stolen data should their ultimatum not be met by June 13.

On June 8, the group’s dark web site became inaccessible, displaying a standard “welcome to nginx” message, suggesting potential operational issues. The identities and affiliations of the Cyber PMC Brigade remain unknown, raising questions about the possible backing by foreign entities or affiliations with other criminal networks.

In an analysis from cybersecurity firm Resecurity, it was noted that the first signs of this breach emerged on May 28 when an individual known as “Gatito_FBI_Nz” attempted to sell two SQL databases containing roughly 1.2 gigabytes of data. This included a marketing pitch for what was identified as “7.4 Million Citizens of Paraguay – Leak 2025,” along with a sampling of 940,000 records. The actor’s previous dealings and chosen monikers indicated a focus on South America, highlighting a troubling trend of regional cybercriminal activity.

The breached government agency, tasked with overseeing transit and road safety, went offline shortly after the incident was reported, only to resume operations the next day. Initial investigations revealed that the unauthorized data included personal details such as names, genders, nationalities, professions, identification numbers, birthdates, and marital statuses.

Adding complexity to the situation, another incident surfaced on May 31 involving a separate attacker, “el_farado,” who also planned to sell a comprehensive database of Paraguayan citizens allegedly obtained from government systems. This suggests a wider trend of targeting Paraguayan governmental networks, characterized by intricate cyberattacks. Earlier incidents, including a similar breach two years prior, raise concerns about the security measures employed to protect citizen data.

These events fit within the broader context of escalating cyber threats faced by Paraguay. In November 2024, a joint review by the Paraguayan Ministry of Information and Communication Technologies and the U.S. Embassy revealed incursions attributed to a state-sponsored hacking group known as Flax Typhoon. Although no organizations were officially identified as compromised, the inference drawn from these incidents suggests a sustained focus on critical infrastructure by adversaries.

From a tactical perspective, this cyber assault involves several possible techniques outlined in the MITRE ATT&CK framework. The initial access into government systems could align with methods such as credential dumping or exploiting vulnerable web applications. Persistence may be achieved through unauthorized access and the installation of backdoors, while privilege escalation techniques could have enabled attackers to obtain access to sensitive datasets. The threat landscape concerning data breaches remains critical, necessitating robust security measures from organizations to defend against such invasive actions.