Latin America confronts 78% surge in ransomware attacks as cyber threats spiral

Cyberattacks across Latin America surged dramatically in 2025, with ransomware incidents jumping more than 78% compared to the previous year, according to new intelligence from cybersecurity firm Intel 471. The region now records the fastest global growth in disclosed cyber incidents, with organizations facing an average of 2,640 attacks per week—35% higher than the worldwide average. Annual losses tied to this activity exceed US $90 million, placing both regional businesses and global enterprises with Latin American operations at unprecedented risk.

The escalation coincides with expanding operations by state-aligned threat groups from China and North Korea, alongside the proliferation of sophisticated financially motivated cybercrime networks. Brazil emerged as the primary target, accounting for roughly 30% of identified victims, followed by Mexico at 14% and Argentina at 13%.

Background and Context

The cybersecurity landscape in Latin America has deteriorated at an average annual rate of 25% over the past decade, but the surge intensified in early 2025 when the first quarter alone posted a 108% year-over-year increase. Intel 471 recorded more than 450 ransomware-related breach events across the region in 2025, up from approximately 250 in 2024, while the number of active ransomware variants climbed from 48 to 79.

Analysts attribute the spike to rapid digital transformation outpacing security controls, persistent weaknesses in cloud infrastructure, and the expanding use of artificial intelligence to automate attack operations. The most disruptive ransomware groups identified were Qilin, The Gentlemen, SafePay, Akira, and Inc, with retail, wholesale, distribution, agriculture, and healthcare emerging as the most targeted sectors.

Key Figures and Entities

According to the Intel 471 assessment, Brazil, Colombia, Chile and Uruguay maintain the most advanced cybersecurity strategies in the region, while Argentina and Peru have made notable progress. However, significant variability remains among member states in critical areas including software assurance, protection of critical infrastructure, innovation, market development and cyber insurance adoption.

Advanced persistent threat (APT) activity reflects sustained campaigns by state-aligned actors, with China-linked groups like Aquatic Panda (also known as Charcoal Typhoon) reportedly targeting military entities in Peru and organizations in Brazil. North Korea-linked actors have conducted financially motivated campaigns, including schemes involving fraudulent IT remote workers. Regional threat cluster Blind Eagle, active since at least 2018, continued espionage operations against Colombian judicial and government institutions.

Legal and Financial Mechanisms

Initial access brokers (IABs) played a crucial role in enabling intrusions, with Intel 471 observing over 200 instances of access offers impacting 17 countries. The most targeted country was Brazil with over 70 victims, followed by Mexico with over 30 and Argentina with over 20. The top three most impactful IABs during the reporting period were those using the Pirat-Networks, *Red, and *Blue handles, with compromised login credentials representing the most common access method.

Social engineering remains the primary driver of financial fraud, with email and SMS phishing campaigns serving as the most common delivery methods for banking trojans and credential theft. Fraudulent call centers and WhatsApp-based impersonation schemes have expanded the reach of these operations, particularly against financial institutions and e-commerce platforms.

International Implications and Policy Response

An assessment by the Organization of American States found that while the region has made measurable progress in cybersecurity maturity since 2020, significant gaps remain. The assessment used the Cybersecurity Capacity Maturity Model for Nations to evaluate capabilities across policy and strategy, cyber culture and society, education and skills, legal and regulatory frameworks, and technology and standards.

In the absence of unified regional guidelines, countries have increasingly pursued developing independent national contingency and cybersecurity frameworks. National strategies commonly prioritize the protection of critical infrastructure, the establishment of data protection and cybersecurity legislation, the mitigation of cybercrime and enhanced public-private cooperation through joint incident response mechanisms and information sharing initiatives.

Looking ahead, Intel 471 assessed that “meaningful risk reduction is unlikely in the near term. The development, harmonization and enforcement of national cybersecurity policies and legislation remain slow-moving processes, while cybercriminal innovation continues at a faster pace—especially in the era of AI.”

Sources

This report draws on cyber threat intelligence from Intel 471, assessments by the Organization of American States, and analysis of regional cybersecurity trends between 2019 and 2025. Specific incident data was compiled from threat monitoring systems and intelligence reports covering ransomware operations, initial access broker activity, and hacktivist campaigns across Latin American countries.