Cybersecurity threatscape for Latin America and the Caribbean: 2022–2023

The digital transformation sweeping the world has not eluded Latin America and the Caribbean. However, as governments, companies, and individuals in the region increasingly embrace digital tools, the risk of cyberattacks is also rising.

In this report, we will analyze the state of cybersecurity in the countries of Latin America and Caribbean countries. Special attention will be given to the largest ones—Brazil, Mexico, and Argentina—which play a key role in the region's economic and technological development and which face the highest number of cyberattacks. We will identify key threats and offer recommendations to strengthen the region's digital security.

Key figures and conclusions

  • In recent years, Latin American countries have undergone rapid digital transformation, affecting all aspects of citizens' lives and every economic sector. As a consequence of this transformation there has been an increased risk of cyberthreats, for which the region was not prepared.
  • Latin America accounted for 12% of the total number of attacks worldwide in 2022. The attackers primarily targeted organizations and individuals in Brazil, Mexico, and Argentina—attacks on these three countries accounted for 44% of all attacks.
  • The majority of successful attacks on organizations targeted government agencies (31%), industrial enterprises (11%), financial institutions (9%), and retail companies (9%).
  • The most serious cyberthreat to organizations and states in the region is ransomware attacks. Due to the activities of ransomware operators, the share of all successful attacks (52%) that led to the disruption of company operations—suspension of business processes or loss of access to infrastructure or data—is higher than the global average. Notably, ransomware attacks in this region often target government structures: the percentage of affected government agencies (31%) is 2.2 times higher than the global average for the same period.
  • In 61% of cases, successful attacks on organizations led to confidential information leaks. The primary motivation of the attackers in these cases is most likely financial—they sell the stolen information (mostly personal and account data) on the dark web or use it for further attacks and extortion.
  • On shadow forums, criminals actively trade and exchange stolen data, hacking services, and access to the networks of Latin American organizations. More than half of the listings (53%) that specify a particular country in the region mention Brazil, Argentina, or Mexico. Most commonly sold on the dark web is access to the networks of financial institutions, government agencies, IT companies, industrial enterprises, and service organizations.
  • The high levels of mobile Internet penetration, mobile device use, and electronic payments in the region have led to an increase in attacks on citizens' mobile devices. Malware is used more frequently than in any other region worldwide: 78% of attacks involve malware, primarily spyware (40%) and banking trojans (32%). Low levels of cyberliteracy among the population mean that such attacks are often successful.
  • Latin American states need to strengthen regional cooperation in combating cybercrime and harmonize their cybersecurity legislation, making use of the accumulated experience and best practices of developed countries.
  • Recommendations for improving cybersecurity at the state level also include developing national cybersecurity strategies, strengthening ties between organizations and national cyberincident response centers, supporting cybersecurity education programs, and promoting international cooperation and data exchange.
  • Recommendations for improving the cyber resilience of organizations include defining non-tolerable events and protecting critical assets, monitoring and responding to cyberthreats with advanced security tools, evaluating the efficacy of implemented measures, and training employees.

Digitalization and cybersecurity issues

Development of digital technologies in the region

Latin America and the Caribbean have diverse economies, each with its own unique historical, cultural, and geographical characteristics. Some of the countries here, such as Brazil and Mexico, show dynamic economic development and have strong industrial sectors. At the same time, other countries, especially the smaller states in Central America and the Caribbean, face economic difficulties and rely more heavily on tourism and agriculture. The region's combined GDP accounts for 6% of global GDP, highlighting its importance in the global economic context.

Development of the digital economy is one of the key factors to further economic growth. Transitioning to the digital economy can improve economic performance, increase productivity, and create new jobs, which is critical for a region characterized by relatively high levels of unemployment and social inequality. Although the region has traditionally lagged behind more developed economies when it comes to digitalization, in recent years Latin American countries have been actively adopting and developing digital technologies and services. This is particularly noticeable in government services, financial technologies, healthcare, and retail.

The internet penetration rate in the region as of the beginning of 2023 is estimated at 75%, surpassing the global average of 65%. In Brazil, this rate is 84%; in Argentina, 87%; and in Mexico, 77%.

Internet penetration rate
Figure 1. Internet penetration rate

The digitalization of the region involves not only expanding Internet access but also integrating new technologies into citizens' daily lives—from mobile banking and online shopping to smart home systems. About 66% of the adult population makes purchases online, and in Argentina, Brazil, Chile, and Colombia, this percentage exceeds 80%. E-commerce is growing in the region: experts estimate that the volume of transactions will increase by 27% in 2023, reaching $509 billion.

In many countries, in particular Brazil, Argentina, Mexico, Colombia, and Chile, national programs have been established to stimulate the development of the digital economy. These strategies aim to integrate new technologies into every sector, primarily optimizing government services and developing e-commerce and digital payments. According to various assessments, such as the E-Government Development Index and the GovTech Maturity Index, most countries' government services in the region have high or very high levels of digital development.

Maturity level of government services according to the
Figure 2. Maturity level of government services according to the World Bank GovTech Maturity Index

Cybersecurity issues

Despite active technological development, many countries still lack sufficient legislative frameworks and infrastructures to combat cybercrime. Cybersecurity issues have become particularly pressing in Latin America due to the lack of clear standards and regulations, a shortage of qualified professionals, a lack of information security culture among users, and limited resources for investing in security technologies—all of which make the region especially vulnerable to cyberthreats.

According to experts' estimates, the damage from cyberattacks to countries in the region amounts to about 1% of GDP, and if critical infrastructure is affected, it can become as much as 6%. In a Fortinet study, 31% of Latin American organizations reported that the consequences of cyberattacks cost them more than $1 million.

Scores from the Global Cybersecurity Index 2020 report show that Latin America has the lowest level of cybersecurity compared to other regions.

Cybersecurity index by region
Figure 3. Cybersecurity index by region

Only 10 out of the 33 countries in Latin America have a cybersecurity index above the world average, with Brazil (96.60) and Mexico (81.68) boasting the highest. In most countries, the problem lies in the lack of resources; naturally, wealthier countries can invest more in infrastructure and cybersecurity development.

Relationship between the cybersecurity index and a country's GDP
Figure 4. Relationship between the cybersecurity index and a country's GDP

The region faces numerous obstacles on the path to cyber resilience. Primarily, this is due to a lack of funding. According to the Organization for Economic Co-operation and Development, the majority of enterprises in the region (99%) are small and medium-sized businesses, making them the backbone of the economy. Such companies may not have sufficient resources to protect their assets and hire qualified cybersecurity staff, leaving them vulnerable to new threats. According to the ESET Security Report, 65% of specialists believe that their organizations need to invest more in cybersecurity.

There is also a shortage of qualified cybersecurity professionals in the region. ISC2 estimates that in 2022, there was a shortage of 516,000 personnel in Mexico and Brazil alone. Conversely, 94% of organizations plan to increase their cybersecurity workforce. Unfortunately, countries in the region are experiencing a brain drain due to relatively low salaries compared to other regions—many Latin American specialists are relocating to North America or Europe in search of career and educational opportunities. According to e-Governance Academy, only 12 countries in the region offer bachelor's programs in information security, while 15 countries have dedicated master's programs.

There are also political problems. The approach to cybersecurity remains largely reactive—actions are taken only in response to incidents that have already occurred. This approach may overlook new emerging threats. The attitude towards security in legislation also lacks a sense of responsibility. For example, not all countries in the region have adopted national cybersecurity strategies. In November 2022, a digital development plan for Latin American and Caribbean countries was published, aiming for the implementation of national cybersecurity strategies for 20 of the region's 33 countries by 2024. Critical infrastructure security issues are also only addressed in the strategies of some states. There is no unified legislation on cybersecurity or data protection among Latin American countries. Individual initiatives to bring laws in line with best practices are emerging; for example, Brazil and Argentina updated their legislation on personal data protection following the European GDPR. However, legal requirements vary in each country, which can create additional difficulties in cross-border data transfer and the fight against cybercrime. Some countries in the region, such as Brazil, Argentina, Colombia, Chile, and Costa Rica, have signed the Budapest Convention on Cybercrime. But at the regional level, efforts to unify legislation and counter cyberthreats are progressing very slowly.

There are national cyberincident response teams in 24 countries in the region. But even in countries where procedures for reporting cyberincidents and interacting with CERTs or CSIRTs are in place, cybersecurity professionals are not always familiar with these processes. The LATAM CISO 2023 Cybersecurity Report notes that although the majority of respondents understand the procedure for interacting with CERTs, 32% stated they don't know where and how to report a cyberincident. In addition, 35% of respondents express a low degree of confidence in national CERTs.

Targets and consequences of cyberattacks

Latin American countries accounted for 12% of the total number of attacks in 2022, according to an IBM report. There's a clear correlation between the size of the country's economy, the development of digital technologies there, and the number of attacks. The attackers primarily targeted organizations and individuals in Brazil (22% of all attacks in the region), Mexico (12%), Argentina (10%), Costa Rica (9%), Colombia (9%), and Chile (8%).

Distribution of successful attacks by country in the region
Figure 5. Distribution of successful attacks by country in the region

According to a survey in the LATAM CISO 2023 Cybersecurity Report, 71% of cybersecurity leaders noted that the number of attacks on their organizations had increased over the last year, while only 8% reported a decrease. In the ESET survey, 69% of respondents said they had encountered a security incident in the last year. The Fortinet study reports that 58% of respondents expect an increase in the number of attacks in the near future.

From the beginning of 2022 until the end of the first half of 2023, the majority of successful attacks on organizations in the region targeted government agencies (31%), industrial enterprises (11%), financial institutions (9%), and retail companies (9%).

Categories of victim organizations
Figure 6. Categories of victim organizations


13% of successful attacks targeted individuals.


78% of attacks were targeted, meaning they were aimed at specific organizations, industries, or individuals.

Costa Rica
Figure 7. Top 5 victim categories by country

Private individuals accounted for 13% of successful attacks in the region, slightly lower than the global average (17%). However, in countries like Mexico and Brazil, this percentage was higher—23% and 20%, respectively.

Successful attacks on organizations most often resulted in leakage of confidential information (61%) and disruption of operations (52%). These consequences were more frequent than the global average, likely due to the high degree of ransomware activity in the region.

Consequences of attacks (percentage of attacks)
Figure 8. Consequences of attacks (percentage of attacks)

The primary motive of attackers is likely financial gain. There are numerous attacks involving data theft, but the attackers are not interested in the stolen information itself (mostly personal and account data)—research suggests that they mainly sell it on the dark web or use for further attacks and extortion. This is confirmed by the frequent use of ransomware—63% of the total attacks on organizations.

The most high-profile incident in the region over the past two years was an unprecedented series of ransomware attacks on government organizations in Costa Rica, affecting the IT systems of 27 institutions. Due to the unavailability of a significant portion of the country's IT infrastructure, a state of emergency was declared. In just the first 48 hours of the attack, the criminals caused damage amounting to $125 million, and the process of restoring Costa Rica's infrastructure lasted several months.

Government agencies

Government agencies were most frequently targeted in attacks. They are of interest to cybercriminals for several reasons. These institutions maintain extensive databases, including citizens' personal data, information on national security, and economic data. This information can be used for extortion, espionage, or sold on the shadow market.

Government systems are undergoing digitalization, and more and more services are being provided online—only to instantly become targets for hackers. For example, as soon as the Jamaican government introduced an electronic system for completing customs and immigration forms, it was hacked—the perpetrators demanded $35 from unsuspecting users for access to the system.

Some government agencies in the region also use outdated or inadequately protected information systems, making them easy targets for cyberattacks. Insufficient funding and low levels of cybersecurity training among staff can also play a role. For instance, in September 2022, the Guacamaya group penetrated the servers of state structures in Mexico, Chile, Peru, Colombia, and El Salvador through the ProxyShell vulnerability in the Exchange service. The official security update was released at the beginning of 2021, but the compromised organizations did not install this patch. In the case of the attack on the Mexican Secretariat of National Defense, the attackers exploited vulnerabilities in the free mail server Zimbra—presumably, this software was used due to budget cuts.

Cyberattacks can be a tool for political pressure, destabilization, or display of power. They can also be used to interfere with elections or other governmental processes. Some groups may target governmental institutions to advance their ideological beliefs. For instance, the aforementioned Guacamaya is a group of hacktivists who claim to support environmental protection in South America. They steal and publish data from government agencies and industrial companies. Since 2022, these hacktivists have published over 20 TB of stolen data.

Industrial and energy companies

The manufacturing and energy industries, particularly the oil industry, are essential to Latin America's economic growth and development. Disruptions in these sectors can snowball into economic and social problems. Successful attacks have resulted in disruptions to IT infrastructure in 58% of cases for industrial enterprises.

Industrial organizations often possess valuable intellectual property. In 77% of successful attacks, attackers managed to steal data, and in half of the cases, this stolen information contained trade secrets. Guacamaya was particularly active in this regard: in 2022, the group published over 2 TB of information stolen from mining companies in Central and South America.

Approximately 6% of all dark web listings related to the region involve selling access to the networks of companies in the manufacturing and energy sectors. The average price for such access ranges from $600 to $800, depending on the company's size and the level of access privileges. One outlier listing was selling access to an energy company in Argentina for $1,700.

Sale of access to an Argentine energy company
Figure 9. Sale of access to an Argentine energy company


The financial sector remains a primary target for cybercriminals in Latin America due to its extensive digital transformation and the potential profits for attackers. However, financial organizations are relatively well protected; in the last two years, there have been no major attacks resulting in significant service disruptions or large-scale theft of funds. Criminals are mostly interested in theft of confidential data and extortion: in 70% of successful attacks on financial organizations, they stole confidential information about the victims' clients.

Ransomware was used in 45% of attacks, most commonly from the LockBit and BlackCat families. For example, in October 2022, a ransomware group attacked a bank in Brazil using the LockBit malware and asked for a ransom of 50 bitcoins, which was about $1 million at the time. The attack led to data leakage and temporary disruptions to client services.

In 2023, ATM malware called FiXS started spreading in Latin America, particularly in Mexico. This malware allows criminals to withdraw cash from ATMs. While the number of ATM attacks had been steadily decreasing in recent years, the beginning of this year saw a resurgence in usage of such malware.

Moreover, attackers are not only targeting banks but also their users, especially clients of Brazilian banks using the popular instant payment system PIX. Several banking Trojans have emerged specifically to attack this system. Generally speaking, as electronic payments and digital banking continue to evolve, we can expect an increase in the number of threats for users who are lax about their security and therefore more vulnerable to phishing attacks. Consequently, banks should focus on securing their applications and enhancing cybersecurity awareness among their clients.


Among attacks aimed at organizations, 9% occurred in the retail sector. These were mainly companies from the largest countries in the region: Brazil, Argentina, and Mexico—for example, Mercado Libre, Fast Shop, and Rede Top.

The IT systems of such companies process and store a vast amount of user data—information of great interest to cybercriminals. Moreover, various payment systems are linked to online stores, creating opportunities for theft of funds and interception of bank card data. During the period in review, 68% of successful attacks led to data breaches, mainly of customers' personal information.

Ransomware poses the primary threat to retail what with it being involved in 84% of successful attacks. At the same time, online platforms are highly sensitive to disruptions—a day of downtime could cost a company millions of dollars. For example, the Brazilian conglomerate reported a loss of $184 million due to cyberattacks that halted online sales for several days. Overall, 58% of successful attacks disrupted companies' operations.

E-commerce is one of the fastest-growing sectors in Latin America, with retail accounting for a significant portion of it (53%). Forecasts predict an average annual growth rate in online retail of 21% from 2023 to 2026, with a corresponding increase in attacks on this sector.

Main threats

Attacks on organizations are primarily linked to the compromise of computers, servers, and network equipment (87%). Successful attacks on web resources accounted for 15%, with 54% of these incidents involving the exploitation of known vulnerabilities and publicly available exploits.

More than a third of attacks on individuals (34%) are targeting mobile devices—a rate higher than the global average (22%) and close to figures for Asian countries (37%). The popularity of this attack vector is due to the high level of mobile Internet penetration and the use of mobile devices in the region. The 2023 Latin America E-commerce Blueprint report notes that in 2023, 70% of online purchases and other payments are made through smartphones, a figure that grows annually. What's more, the number of mobile device users is increasing each year and is expected to reach 74% of the population by 2025. Consequently, the number of attacks on mobile devices will also rise.

Attack targets (percentage of attacks)
Figure 10. Attack targets (percentage of attacks)

Every second successful attack targeting organizations uses social engineering (53%). Vulnerability exploitation was recorded in 27% of cases, and credential compromise in 19% of attacks. Malware is used equally as often in attacks on organizations (80%) as on individuals (78%).

Attack methods (percentage of attacks)
Figure 11. Attack methods (percentage of attacks)


Latin American countries exhibit the highest percentage of ransomware use in attacks on organizations (79%) compared to the global average (53%).

Types of malware (percentage of successful malware attacks
Figure 12. Types of malware (percentage of successful malware attacks

Malware is used more frequently than in any other region worldwide: 78% of attacks involve malware, primarily spyware (40%) and banking trojans (32%). Several factors contribute to this trend: the widespread use of pirated software, the use of unverified VPN programs to access blocked resources, and a generally low level of cybersecurity awareness.

The primary methods for spreading malware in organizations are through email (54%) and compromise of computers and servers (35%). Malware reaches individuals' devices when users visit infected websites (55%) or open attachments and links in emails (29%). Official app stores can also become sources of infection when attackers manage to bypass security systems and pass off their programs as legitimate.

Malware distribution methods in successful attacks on organizations
Figure 13. Malware distribution methods in successful attacks on organizations
Malware distribution methods in successful attacks on individuals
Figure 14. Malware distribution methods in successful attacks on individuals

Ransomware attacks

While the world in general is seeing a downward trend in ransomware attacks, this threat is growing in Latin America. According to the IBM X-Force Threat Intelligence Index, the number of incidents related to ransomware in Latin America increased by 3% in 2022. Moreover, the criminals' methods are evolving—the average attack duration has decreased from two months to four days. If we compare the first halves of 2022 and 2023, the growth in ransomware attacks in the region remains at the same level, 3%.

Nearly a third of ransomware attacks (31%) targeted government agencies. This percentage is significantly higher than in other regions—2.2 times the global average of 14%. Industrial enterprises, retail, medical, and educational institutions are also among the top 5 categories of ransomware victims.

Categories of ransomware victims
Figure 15. Categories of ransomware victims

Companies are still not fully prepared to deal with the consequences of ransomware attacks on their own. For example, in a survey conducted by Veeam in Latin American countries, 58% of respondents said their organization paid the ransom and managed to recover the data, while 14% paid the ransom but couldn't retrieve the data. Only 21% of respondents said they didn't pay the ransom because they were able to restore the data from backups. According to Veeam, organizations paid the ransom through insurance in 77% of cases. However, recently the conditions for cyberrisk insurance have been changing: insurance companies have started increasing deductibles and premiums. Some insurance companies are now excluding ransomware attacks from their coverage, as stated by 20% of respondents.

Possibly due to the large number of organizations falling victim to ransomware attacks and other threats directly impacting data, the most common security technology in corporate networks has become backup systems—used by 88% of organizations. However, according to another study, the Thales Data Threat Report, only 60% of respondents said their organization has a response plan in case of a ransomware attack (which is already a significant improvement compared to 2021, when only 42% of respondents reported having such a plan).

There are many ransomware groups operating in the region, the most active of which in the last two years have been the following:

  • LockBit

The LockBit ransomware group, which has been active since 2019, has targeted both governmental and private organizations in South America. Not all attacks were conducted directly by the group: LockBit spreads its eponymous malware using the ransomware-as-a-service (RaaS) model.

  • BlackCat (ALPHV, UNC4466, Noberus)

BlackCat ransomware group has been active since 2021. These cybercriminals target both private and governmental organizations in South America and around the world.

  • Cl0p

The Cl0p ransomware group was first detected in 2019. The attackers target a wide range of industries globally, but in Latin America they have focused on attacking universities and financial organizations in Mexico, Colombia, and Puerto Rico.

  • BlackByte

The BlackByte ransomware group was first noticed in 2019. The cybercriminals operate worldwide, and in Latin America they have targeted industrial and governmental organizations in Mexico, Argentina, and Peru. Like LockBit, they distribute their ransomware using the RaaS model.

  • Rhysida

The Rhysida cybercriminal group appeared in May 2023. They disguise themselves as a cybersecurity team offering assistance to victims. In South America, Rhysida has targeted governmental and medical organizations. In May 2023, the group attacked the IT infrastructure of the Chilean army, resulting in significant system disruptions and confidential information leaks.

  • Conti

The Conti ransomware group conducted attacks on private and governmental organizations worldwide. In April 2022, they launched a campaign targeting governmental agencies in Costa Rica. A series of cyberattacks led to the shutdown of many government systems for almost a month, a 672 GB data leak, and a declaration of a state of emergency in the country. But at the end of June 2022, the Conti group shut down its websites and ceased to exist, presumably splitting into several smaller organizations.

Development of shadow markets

On shadow platforms, criminals trade and exchange access to organizational networks, stolen data, tools, and services for carrying out attacks. Interest in organizations from Latin American countries is growing: the number of dark web messages related to this region during the first three quarters of 2023 has already exceeded the total number of messages in 2022 by 32%. In more than half of the listings (53%) specifying a particular country in the region, either Brazil, Argentina, or Mexico is named.

Distribution of advertisements by country in the region
Figure 16. Distribution of advertisements by country in the region

The majority of the dark web messages (70%) contain advertisements for the sale or purchase of access to the infrastructure of organizations. One fifth (22%) of the listings involve the sale, purchase, or distribution of databases containing confidential information. Approximately 6% of messages involve news about breached resources.

Distribution of advertisements by topic
Figure 17. Distribution of advertisements by topic

Most commonly sold on the dark web is access to the networks of financial institutions, government agencies, IT companies, industrial enterprises, and service organizations. Databases sold or distributed for free typically contain information leaked from government agencies, telecommunication companies, online stores, and financial institutions.

Distribution of advertisements by topic and industry
Figure 18. Distribution of advertisements by topic and industry

The cost of access depends on several factors: the characteristics of the organization itself, such as the industry and annual income, as well as the type of access offered and the level of account privileges. The average cost is around $600. The most expensive type of access is account credentials for entering the infrastructure of financial organizations: access to a bank is offered at an average of $1,400, with prices reaching as much as $18,000.

Average cost of access to an organization's network on the dark web ($)
Figure 19. Average cost of access to an organization's network on the dark web ($)
Sale of access to three Latin American organizations
Figure 20. Sale of access to three Latin American organizations
Sale of access to two Latin American organizations
Figure 21. Sale of access to two Latin American organizations

Social engineering

Attacks using social engineering represent one of the main threats to the region, both for organizations and private individuals. For example, ransomware infiltrated corporate networks through email in 53% of successful attacks. The KPMG Fraud Outlook report found that 32% of Latin American respondents saw an increase in attempted phishing attacks in 2022, while the LATAM CISO Report: Cybersecurity Insights From Industry Leaders notes that 88% of cybersecurity leaders consider various forms of social engineering to be the primary threat to companies.

Research conducted by KnowBe4 shows that the awareness level of employees in Latin American organizations is lower compared to other regions, with 41% of users unable to recognize a phishing attack. This means that four out of ten employees might download and launch attachments from phishing emails, click on malicious links, or hand over credentials to attackers. In other regions, this figure doesn't exceed 35%.

Social engineering channels
Figure 22. Social engineering channels

Social engineering attacks often target individuals through social networks, messaging apps, and email campaigns. However, most commonly, such attacks occur through phishing or compromised websites (58%). The highest number of phishing sites has been observed in Brazil. According to SocRadar, over 2600 potential phishing domains were registered from October 2022 to October 2023, aiming to spoof the websites of Brazilian organizations. The Brazilian Public Security Yearbook reports a 66% increase in online fraud cases in 2022. This threat is also relevant to other countries in the region: around 1000 phishing domains were registered in Colombia, over 800 in Argentina, and more than 500 in Mexico and Peru during the same period. The criminals mostly imitate the sites of cryptocurrency exchanges, financial institutions, and government services.

In May 2023, researchers identified a large-scale phishing campaign targeting individuals and organizations in Mexico. The attackers sent emails with an attachment mimicking a CFDI tax receipt format commonly used in Mexico. Upon opening the attachment, the user's device was infected with malware capable of capturing login credentials for bank accounts. Experts believe that this campaign started in 2021, with the fraudsters deceiving over 4000 victims in the last two years, amassing over $55 million.

Banking trojans

Banking trojans pose a significant threat to individuals in Latin America, constituting a third (32%) of all detected malware used. The region is seeing the spread of numerous banking trojans like BBTok, GoatRAT, PixBankBot, and Grandoreiro. Residents of Brazil and Mexico are particularly vulnerable; these countries are likely to be of greater interest to attackers due to their population size and widespread use of online banking.

In September 2023, the BBTok banking trojan began spreading in Latin America, targeting residents of Mexico and Brazil. It mimics interfaces of over 40 Mexican and Brazilian banks, including Citibank, Scotibank, Banco Itaú, and HSBC. This allows fraudsters to trick users into entering two-factor authentication codes and thus gain control over accounts. In addition, this malware can steal payment card numbers.

In Brazil, attacks have recently targeted PIX instant payment systems. For example, the GoatRAT trojan targets users of three Brazilian banks: Nubank, Banco Inter, and PagBank. This trojan intercepts the PIX key necessary for money transfers and steals funds from the victim's bank account.

Data leaks

According to IBM, the average cost of damage from information leakage in Latin American countries increased by 32% over the year and amounted to $3.69 million by the beginning of 2023. The majority of attacks resulting in data leaks occurred in the government sector (27%), followed by manufacturing industry (15%), financial sector (10%), retail (10%), and education (7%).

Industries with the highest number of data leaks (percentage of successful attacks resulting in data theft)
Figure 23. Industries with the highest number of data leaks (percentage of successful attacks resulting in data theft)

In attacks on organizations, the criminals primarily stole personal data (40% of the total volume of stolen information) and information containing trade secrets (21%). Most often, citizens' personal data was leaked from the systems of government agencies, financial organizations, and educational institutions. The primary cause of data leaks in organizations was ransomware attacks demanding payment in exchange for not disclosing stolen information. Attacks on individuals led to the theft of account and personal data (38% and 25%, respectively) and payment card data (25%).

Types of data stolen in attacks on organizations
Figure 24. Types of data stolen in attacks on organizations
Types of data stolen in attacks on individuals
Figure 25. Types of data stolen in attacks on individuals

Attackers may sell compromised data on the dark web or make it publicly available. For example, data from the Argentine hospital Garrahan, hit by a cyberattack in 2022, was put up for sale on the dark web for $1,500.

Sale of the Argentine hospital's database
Figure 26. Sale of the Argentine hospital's database

Among the databases found on the dark web, 28% were stolen from government agencies, 20% from IT companies, and 8% from financial organizations.

Sale of databases on the dark web (victim categories among companies)
Figure 27. Sale of databases on the dark web (victim categories among companies)

Conclusion and recommendations

In recent years, Latin American countries have experienced a number of attacks that impacted the functioning of critical sectors and even an entire state. The region turned out to be highly unprepared for cyberthreats due to economic and social factors, as well as the rapid adoption of digital technologies without ensuring the necessary protection. We believe that cooperation between countries, investment in security, political support for changes, and improving education are crucial steps to take. We propose a number of measures to enhance cybersecurity for individual organizations, sectors, and the entire region.

Recommendations for governments

Adopt information security strategies at a national level

Only a portion of Latin American countries have adopted national cybersecurity strategies. While the adoption of a strategy itself does not guarantee increased security levels, these documents set the direction for further development and emphasize the importance of cybersecurity at a state level. Governments should develop, implement and regularly update national cybersecurity policies and strategies, involving a wide range of stakeholders in the process. Development of these strategies should have the necessary funding and political support to ensure effective coordination and a clear allocation of responsibilities.

A national information security strategy should include an assessment of threats and list well-defined goals and the steps required to achieve them. Representatives of government organizations, business, and the cybersecurity sector should be involved in the development of the strategy, and drafts should be reviewed and discussed publicly.

Harmonize legislation for cybersecurity and personal data protection

Countries in the region should consider agreeing on shared cybersecurity standards for more effective collaboration or establish common mechanisms for exchanging information on and fighting against international cyberthreats.

Cybersecurity and data protection legislation must be regularly updated to keep pace with the latest cyberthreats and technological advancements. It should also facilitate effective coordination between different law enforcement and security agencies.

Protect critical information infrastructure

Governments should identify non-tolerable events at the industry and national levels. This approach helps to effectively allocate resources to ensure the protection of the most critical systems. Priority should be given to the infrastructure of sectors such as government, telecommunications, manufacturing, and finance, as well as other sectors vital to the economy and national security, such as e-commerce and agriculture. The speed of digital transformation and the maturity level of information security in the country should also be taken into account.

Create national and industry cyberincident response centers and improve mechanisms for cooperating with organizations

National cyberincident response teams are responsible for monitoring threats and helping organizations recover from serious cyberattacks. The creation of such structures should be a priority when implementing a national security and critical infrastructure security strategy. In 2023, only 24 countries in the region had national CERTs/CSIRTs. Countries that already have such structures should establish industry CERTs and collaborate to support the establishment of regional response centers. It should also be noted that mechanisms for reporting incidents may not be sufficiently clear for security professionals. Straightforward and transparent mechanisms for reporting cyberincidents occurring in organizations must be developed, and efforts should be made to increase trust in national CERTs and interaction with government structures. Improved information sharing between organizations and cybersecurity centers can help prevent attacks and respond to new threats in a timely manner.

Responding to cyberthreats must be integrated into the overall strategy for protecting and restoring critical national infrastructure.

Raise awareness and promote education in cybersecurity matters

Governments should invest in public awareness campaigns about current threats and how to protect oneself against them. In this region, as in the rest of the world, there is a shortage of qualified cybersecurity professionals. Therefore, promoting this field and related professions and developing learning programs in educational institutions should be a government priority.

Cooperate internationally

Cybercrime has long transcended the borders of individual states, making it crucial for countries to cooperate with one another in combating cyberthreats. By sharing information, resources, and expertise, countries can collectively strengthen their defenses and mitigate the risks posed by cybercriminals across jurisdictions. National cybersecurity strategies should include objectives for developing international relations in the field of cybersecurity.

Recommendations for businesses

Identify non-tolerable events and critical assets

To ensure the cyber resilience of a company, it is necessary first of all to analyze the main risks and draw up a list of non-tolerable events that could cause significant damage to its activities. This step will help identify critical assets and focus on protecting the most valuable resources. A strategy should be developed to prevent non-tolerable events, including the necessary security measures and monitoring of network activity using modern security tools.

Monitor incidents and respond to cyberthreats

Incident monitoring and detection systems are needed to respond to potential threats and attacks in a timely manner. For this purpose, we recommend using SIEM systems that collect and analyze information about security events from various sources in real time. Together with XDR (extended threat detection and response) and NTA (network traffic analysis) solutions, this will help detect attacks in the early stages and ensure swift responses, reducing risks for the organization.

Evaluate cybersecurity effectiveness

The effectiveness of adopted cybersecurity measures should be regularly tested to assess the performance of the strategy and defenses. We recommend paying special attention to verification of events that are non-tolerable for the organization.

It is also worth participating in bug bounty programs so that external security researchers can find new vulnerabilities. These programs will help detect and eliminate vulnerabilities before attackers can exploit them.

Train employees and develop information security specialists

It is essential to educate employees about the fundamentals of cybersecurity and conduct training sessions to increase awareness of current cyberthreats and protect against social engineering techniques.

To effectively combat cyberthreats, organizations should invest in the development of their cybersecurity experts. Regular training and certification of employees in the field of cybersecurity will enhance their skills and knowledge, boosting the company with expert support in preventing and responding to cyberattacks. One of the most effective ways to do this is to participate in cyberexercises on dedicated platforms, where information security specialists can practice recognizing attack techniques and countering them.


The data and findings presented in this report are based on Positive Technologies own expertise, as well as analysis of publicly available resources, including government and international publications, research papers, and industry reports.

We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of hacker activity are unable to quantify the precise number of threats. This research aims to draw the attention of companies and individuals who care about the state of information security to the key motives and methods of cyberattacks, and to highlight the main trends in the changing cyberthreat landscape.

This report considers each mass attack (for example, phishing emails sent to multiple addresses) as one incident, not several. For explanations of terms used in this report, please refer to the Positive Technologies glossary.

Get in touch

Fill in the form and our specialists
will contact you shortly