Who’s Afraid of Ransomware?

In November 2020, the Superior Court of Justice (STJ) in Brazil suffered a cyberattack that encrypted its case files and brought its operations to a halt. In 2021, similar attacks targeted the Federal Regional Court of the 3rd Region (TRF-3), the Rio Grande do Sul State Court (TJRS), and the Ministry of Health, affecting critical systems such as electronic filing and ConecteSUS, respectively, thereby disrupting the services provided by each institution.

Though carried out in different ways, these attacks shared a common element: the use of ransomware ─ a type of malicious software (malware) deployed by cybercriminals who exploit vulnerabilities in devices, servers or networks to infect specific targets. The goal is typically to partially or completely disable the system’s functionality and often to extract confidential or private data. The attackers then demand a ransom ─ usually paid in cryptocurrency ─ in exchange for restoring access or refraining from releasing the stolen data.

While public institutions are frequent targets, private companies, financial institutions, hospitals, universities, essential service providers, and even individual users also face significant daily risks, given the sensitive nature of the data they handle: banking records, medical information, intellectual property, personal data and more.

Despite advances in cybersecurity in recent years, Brazil’s digital infrastructure still shows vulnerabilities in the face of the rapidly evolving landscape of ransomware attacks.

In addition to classic forms of ransomware ─ such as encryption and locker types, where cybercriminals use encryption to make files or systems inaccessible and demand ransom in exchange for the decryption key, or simply lock the device or system without encryption and demand payment to restore access(1)─ more sophisticated tactics have emerged. These include double extortion, which combines data encryption with the threat of public exposure or sale of sensitive data if the ransom is not paid, and even triple extortion, which expands the pressure by targeting not only the victim but also their clients or partners to increase the chances of ransom payment.

Another alarming development is the rise of the Ransomware-as-a-Service (RaaS) model, in which developers provide ready-to-use tools to other cybercriminals, even those with little technical knowledge ─ significantly broadening the reach and frequency of attacks(2).

These approaches increase pressure on victims and amplify the economic impact of attacks, solidifying ransomware as one of the most serious cyber-threats and a significant challenge for authorities and criminal law(3).

Legally, unauthorized access to computer systems with the intent to obtain, alter, or destroy data ─ whether or not malware is used ─ may constitute the crime of unlawful access to an information device under Article 154-A of the Brazilian Penal Code. Paragraph 1 of the same article also covers actions by those who develop or disseminate malware, thus encompassing the RaaS model.

However, ransomware goes beyond simple unauthorized digital access, as it subjects victims to the fear of permanent loss of their systems and data, along with the threat of public exposure ─ coercing them into paying a ransom for the “release” of their data.

In this context, ransomware closely aligns with the complex and multi-offensive nature of the crime of extortion (Article 158 of the Penal Code), as it not only involves unlawful access (absorbing the offense in Article 154-A) but also causes harm to the victim’s property (undue financial gain) and infringes on their physical integrity (through psychological violence) or individual freedom (through serious threats).

Criminal law doctrine acknowledges that even in the absence of physical violence, the psychological coercion resulting from the threat to disclose sensitive data or interrupt access to essential information constitutes a form of duress sufficient to characterize extortion.

Moreover, additional layers of illegality may be added to the initial conduct, especially when the intended gain is not financial. This opens the door to other criminal offenses such as unlawful coercion (Article 146 of the Penal Code) or even rape (Article 213 of the Penal Code), in cases involving demands for the sharing of intimate content or acts that violate the victim’s sexual dignity.

The purpose of the attack and the nature of the target also influence the legal classification. Cyberattacks against the State, critical infrastructure, or essential services intended to cause harm, obtain strategic data, or take control of systems may constitute crimes against the safety of communication and transportation systems and other public services (Articles 260 to 266 of the Penal Code) or even terrorism, as defined by Law No. 13,260/2016.

If, after the ransom is paid, access is not restored and new demands are made, the situation may be classified as fraud (Article 171 of the Penal Code) or as a continued crime.

Given the complexity of these offenses, it has become evident that Brazilian criminal legislation needs updating to address the growing sophistication of cybercrimes. It is therefore imperative to improve the legal framework, invest in the training of public agents, build specialized investigative infrastructure and ─ most importantly ─ foster a cybersecurity culture across both the public and private sectors.

Thus, beyond criminal response, prevention is essential. Recent data shows that Brazil was the 7th most affected country by ransomware attacks in 2024, highlighting the urgent need for robust digital security measures.

Prevention requires both technical and administrative actions focused on threat monitoring and mitigation. Among the most important steps are regular and secure backups ─ preferably offline or in a secure cloud ─ ensuring access to and recovery of compromised data in the event of a system lockdown.

Continuous updates of operating systems and software, the use of official programs, as well as trusted antivirus and firewall solutions, help reduce vulnerabilities.

Another key pillar is user awareness. Well-trained staff can recognize attempted attacks and avoid interacting with suspicious links or downloads, whether in professional or personal environments.

In corporate environments, limiting user access and privileges within the network also helps reduce the attack surface and prevent more severe breaches. Tools such as multi-factor authentication and password managers should be standard in both business and personal settings.

Companies and public agencies that handle personal data have additional obligations under Law No. 13.709/2018 (General Data Protection Law – LGPD) and must therefore implement cybersecurity plans and incident response protocols to prevent public exposure and legal, operational, and reputational damage.

From a legal perspective, companies may face sanctions from the National Data Protection Authority (ANPD), as well as lawsuits from affected data subjects and potential breaches of contractual obligations with partners or clients ─ leading to litigation and financial losses.

Regarding institutional reputation, the public response following a ransomware attack must be transparent, involving clear communication with the press and affected users. Article 48 of the LGPD requires prompt notification to the ANPD and data subjects, along with other sector-specific obligations depending on the entity’s activities. Simultaneously, it is crucial to restore technological infrastructure and ensure the continuity of services.

Given the increasing sophistication of these attacks and the scale of the potential damage, combating ransomware demands a governance and prevention strategy, user awareness of the digital landscape, rapid incident response, effective accountability, and ─ above all ─ regulatory and technological solutions that uphold the fundamental rights to privacy, security and human dignity in an increasingly interconnected and challenging digital environment.

1- F-Secure (2022), What is ransomware? A guide to malware-driven cyber extortion, available at https://www.f-secure.com/en/articles/what-is-a-ransomware-attack

2- IBM (2024), HOLDSWORTH, Jim e KOSINSKI, Matthew, What is ransomware as a service?, available at https://www.ibm.com/think/topics/ransomware-as-a-service

3- Artic Wolf (2024), The Dangers of Double and Triple Extortion in Ransomware, available at https://arcticwolf.com/resources/blog/dangers-of-double-and-triple-extortion/