A ransomware group operating under the alias "Nova" has claimed responsibility for a cyberattack against SECONT (Secretaria de Controle e Transparência), a Brazilian government body responsible for transparency and oversight operations. The claim, surfaced through dark web monitoring channels and amplified on X, alleges that the threat actors infiltrated internal systems, exfiltrated sensitive data, and are now leveraging stolen samples to pressure the agency into paying a ransom. As of publication, SECONT has not issued an official statement confirming the breach.
What Happened
According to posts circulating across cybersecurity monitoring accounts and underground leak-tracking communities, the Nova ransomware group added SECONT to its roster of victims, accompanied by data samples intended to validate the intrusion. The attackers reportedly gained unauthorized access to internal SECONT systems before deploying their extortion playbook. Like most modern ransomware operations, Nova appears to be using double-extortion tactics: exfiltrating sensitive files first, then threatening publication if payment demands go unmet.
The incident drew rapid attention across threat intelligence circles because SECONT functions as a control and oversight authority, meaning its data holdings likely include audit records, internal investigations, procurement reviews, and administrative correspondence touching multiple branches of state government. The same monitoring source that surfaced the SECONT claim also flagged a parallel Nova-adjacent ecosystem event: Incransom's claimed theft of nearly 1TB of data from Meirc Training and Consulting in the UAE, underscoring an active week for ransomware extortion postings.
What Was Taken
Nova's leak-site posting includes data samples positioned as proof of compromise, though the full scope of exfiltrated material has not been publicly enumerated. Given SECONT's mandate over transparency and internal control within the Espírito Santo state government, the data at risk likely encompasses:
- Internal audit and oversight documentation
- Procurement and contract review files
- Investigative records related to public administration misconduct
- Employee personally identifiable information (PII)
- Internal correspondence and email archives
- Administrative and financial control documents
Nova has not yet published a full dump, suggesting the group is currently in the negotiation phase of its extortion cycle. If payment is refused, the full dataset is expected to appear on the group's dedicated leak portal.
Why It Matters
SECONT is not a peripheral agency. Bodies charged with transparency and government oversight hold uniquely sensitive material: ongoing investigations, whistleblower-adjacent records, and information about other government departments. A breach of such an entity is corrosive on multiple levels. It undermines public trust in institutional integrity, exposes individuals named in audits or investigations to retaliation risk, and gives threat actors leverage that extends well beyond a typical commercial victim.
This incident also reinforces a broader pattern. Latin America, and Brazil specifically, has become a sustained target for ransomware affiliates throughout 2026. Public-sector entities across the region continue to operate on fragmented IT estates with underfunded security programs, making them disproportionately attractive to financially motivated actors. Government bodies in Brazil have absorbed repeated hits over the past several years, spanning municipalities, healthcare networks, and judicial systems, and Nova's claim slots cleanly into that trajectory.
The Attack Technique
Nova has not publicly disclosed the initial access vector used against SECONT, and no technical indicators of compromise have been released by the agency or independent responders. However, the group's behavior aligns with the dominant ransomware-as-a-service (RaaS) tradecraft observed across 2026 campaigns targeting public-sector Latin American victims:
- Initial access typically via phishing, exposed RDP/VPN endpoints, or exploitation of unpatched internet-facing services
- Credential harvesting and privilege escalation following foothold, often using off-the-shelf tooling like Mimikatz or Cobalt Strike derivatives
- Lateral movement through flat or poorly segmented government networks
- Bulk data exfiltration to attacker-controlled infrastructure prior to encryption
- Leak-site posting with data samples to maximize negotiation pressure
Nova's operation reflects the professionalized ransomware economy: dedicated negotiation infrastructure, structured affiliate payouts, and a published leak portal designed to coerce victims into compliance.
What Organizations Should Do
Public-sector entities in Brazil and across Latin America should treat the SECONT claim as a prompt to harden defenses against an active and escalating threat. Recommended actions include:
- Audit internet-exposed services. Inventory all externally reachable RDP, VPN, and remote management endpoints, and ensure MFA is enforced on every account with remote access.
- Patch aggressively on edge infrastructure. Prioritize firewalls, VPN concentrators, and remote access appliances, which remain top initial-access vectors for ransomware affiliates.
- Segment networks and restrict lateral movement. Isolate administrative, financial, and oversight systems from general user environments; enforce tiered admin models.
- Deploy EDR with behavioral detection. Signature-only antivirus is insufficient against modern ransomware tradecraft involving living-off-the-land binaries and legitimate tooling.
- Validate and test offline backups. Ensure backup systems are isolated from production credentials and routinely test full-restore procedures under tabletop conditions.
- Establish a ransomware incident playbook. Pre-define legal, communications, and law enforcement coordination workflows so response is not improvised under duress.
Sources: A Dark Web Threat Actor Claims Brazil's SECONT Was Hit by Ransomware Attack + Video - UNDERCODE NEWS