top of page

Intel Brief: Two Ransomware Gangs Attempt To Collect From Peruvian Army

Date: 27/3/2024


  • Peru


Who’s involved:

  • INC RANSOM, RansomEXX, Peruvian Ministry of Defense 

What happened?

  • Since the night of March 24th, the RansomEXX Ransomware gang has claimed to have stolen nearly 800GB of data from the Peruvian Ministry of Defense.

  • The following day, another ransomware group, INC Ransomware, claimed to have also successfully attacked the Ministry, specifically the Army. This claim was that a smaller amount of data (500 GB) was taken.

  • Previews of the leaked information do seem to confirm that both groups have come into possession of personally identifiable information. Both seem to come from the same data.


  • If RansomEXX was the threat actor responsible for the initial attack, it would be their first ransom carried out in nearly four months. Their last claimed successful attack was in early December, against Kenya Airways.

  • RansomEXX has been active since at least 2018 and is linked to the cybercriminal group, Gold Dupont. RansomEXX is a very sophisticated threat actor in the ransomware space. 

  • Both groups use a ransomware-as-a-service (RaaS) model, which means that the groups sell their tools to other threat actors for a cut of the ransom proceeds. Other large groups such as LockBit operate similarly.

  • The RansomEXX and INC Ransomware groups deploy multi-extortion activities, which include stealing victim data and threatening to leak it online unless their demands are met. Their messages to victims typically involve leveraging the threat to their reputation, which is significant when dealing with a government institution. 

  • While ransomware groups primarily target sectors like education, healthcare, and industrial services due to their high dependency on continuous operations and data availability, military departments are not typically the primary focus of most ransomware campaigns. The incident has largely remained out of Peruvian news. 

  • The motivation behind targeting sensitive sectors, including potentially military departments, involves a combination of factors such as the perceived ability to pay large ransoms and the critical nature of the services they provide.

  • There is no indication that the incident is connected to any motivation outside of a still undisclosed amount of money from the ransom.


The simultaneous ransomware attacks on the Peruvian Ministry of Defense by INC Ransom and RansomEXX mark a notable escalation in the landscape of cyber threats against military institutions. This incident highlights the evolving brazenness of ransomware gangs, who are increasingly targeting high-value and sensitive sectors for substantial financial gains and potential geopolitical leverage.

This incident not only reveals that vulnerabilities present in the private sector are also in national defense structures, and suggests a future scenario wherein nationstates can deploy more deniable assets to steal data from adversaries. The overlapping claims by both ransomware groups suggest a possible convergence or competition within the dark web’s criminal ecosystem, complicating the response strategies for affected organizations.


Intel Brief_ Two Ransomware Gangs Attempt To Collect From Peruvian Army
Download PDF • 3.05MB




bottom of page