A well-known ransomware group has claimed responsibility for a cyberattack on Carrera, a major Brazilian auto dealership, demanding a $1 million ransom and threatening to leak sensitive data if unpaid.
The Rhysida ransomware gang, believed to have links to Russia, published a post on its dark web leak site claiming it has stolen confidential records from Carrera, including identification documents and signed contracts.
“With just seven days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data,” the ransom note reads.
“We sell only to one hand, no reselling, you will be the only owner!”
Target: Carrera Auto Dealership in São Paulo
Carrera, headquartered in São Paulo, operates one of the country’s most prominent networks of new, semi-new, and used car dealerships. It represents global brands like Chevrolet, Nissan, and Volkswagen and also provides financing, insurance, and maintenance services.
The ransomware group claims to possess sensitive files, including:
- Passport and ID document scans
- Signed contracts
- Customer and employee data
While the scope of the breach remains unclear, screenshots shared by the gang appear to show official documents, increasing the likelihood that identity theft and fraud could follow.
“They’ll need to allocate additional resources to notify legal authorities about the breach, followed by contacting affected customers,”
Cybernews researchers said.
“They could face fines of up to 2% of their revenue, which, in their case, could reach almost $3 million.”
The dealership has not yet issued a public response.
Rhysida’s Pattern of High-Impact Targets
The Rhysida ransomware group has gained notoriety through a series of high-profile attacks using double extortion—encrypting victims’ data while threatening to leak it unless paid.
Since May 2023, the group has claimed more than 200 victims, spanning sectors such as government, healthcare, education, and aviation.
Notable past incidents include:
- Peru’s National Registry Systems – Claimed by Rhysida, though denied by the government
- Seattle-Tacoma International Airport – Disrupted operations and demanded 100 BTC
- British Library and Lurie Children’s Hospital in Chicago – Publicly listed among claimed victims
- Montreal-Nord (Quebec) – Targeted with a $1 million ransom
Despite these attacks, there has been a breakthrough: South Korea’s Korea Internet & Security Agency (KISA) released a free decryption tool for Rhysida ransomware in 2024, offering limited recourse for victims who do not pay.
“Beyond financial penalties, the company is also likely to suffer reputational damage,”
Cybernews analysts warned.
“It might impact business performance.”
As of now, the dark web post gives Carrera until June 1 to comply with the ransom demand. Failure to pay could result in the exposure of potentially damaging personal and contractual data.
