LockBit Targets Brazilian Medical Group AEAMG in Latest Ransomware Attack

In the ever-evolving world of cyber threats, ransomware continues to strike organizations around the globe, and healthcare remains a top target. On April 16, 2025, ThreatMon’s Ransomware Monitoring division reported that the LockBit 3.0 ransomware group claimed responsibility for breaching the Brazilian medical association AEAMG (aeamg.org.br). The breach was confirmed through dark web intelligence gathering, placing AEAMG on LockBit’s victim list.

This latest incident adds to the growing concerns over the vulnerability of healthcare institutions, especially in regions with underfunded cybersecurity infrastructures. While the full scope of the damage remains unclear, the threat’s legitimacy appears credible based on the source and the pattern of LockBit 3.0’s past attacks.

Breakdown of the Incident

Threat Group: LockBit 3.0 (also referred to as LockBit Black)
Victim: Associação dos Ex-Alunos da Escola de Medicina e Cirurgia do Rio de Janeiro (AEAMG)

– Website: [http://aeamg.org.br](http://aeamg.org.br)

– Reported By: ThreatMon Threat Intelligence

Date of Listing: April 16, 2025, 16:07 UTC+3
Detection Method: Dark Web monitoring by ThreatMon’s team

AEAMG is a Brazilian medical alumni organization with ties to various medical professionals and institutions. The site serves as a digital hub for educational initiatives, alumni networking, and occasionally, administrative services. While it’s not a hospital or direct care provider, it remains part of the healthcare ecosystem—making it a desirable target for attackers aiming to harvest data, hold systems hostage, or exploit sensitive contacts within the network.

ThreatMon is a known actor in dark web threat intelligence, routinely tracking ransomware groups and publishing findings. The notice, originally shared via X (formerly Twitter), notes LockBit 3.0’s involvement without detailing the extent of the compromise, ransom demands, or whether AEAMG has responded to the attack.

What Undercode Say:

LockBit 3.0’s attack on AEAMG

LockBit 3.0, operational since 2022, has continuously evolved with advanced encryption techniques and extortion tactics. Their approach involves double extortion: first encrypting the data and then threatening to leak it publicly unless a ransom is paid. Often, they rely on phishing, credential leaks, and poorly maintained infrastructure to gain initial access.

AEAMG’s public-facing website may serve as a surface-level point of entry, but the concern lies in what lies behind it. These systems may include member databases, internal email servers, financial data, or even patient connections through partnerships. If exploited, attackers could access personal details, ID documentation, and medical histories—commodities that fetch high value in cybercrime marketplaces.

While the breach may seem minor compared to massive hospital network takedowns, it carries symbolic weight. It’s a reminder that no digital touchpoint in the healthcare ecosystem is too small to be targeted. These groups also serve as springboards for lateral attacks—once inside an alumni network, cybercriminals can impersonate trusted contacts and attempt to compromise other connected institutions.

Statistically, Brazil is among the top Latin American countries facing ransomware threats. A 2024 IBM X-Force report ranked it within the top 10 globally for targeted attacks in the healthcare and education sectors. This makes AEAMG’s situation part of a much larger national concern. Organizations with limited IT resources but rich in data are being systematically exploited—an unfortunate sweet spot for actors like LockBit.

Cybersecurity hygiene must extend beyond major healthcare networks to affiliated associations, student platforms, and professional organizations. The lack of multi-factor authentication, weak passwords, unpatched servers, and poor monitoring are recurring weaknesses.

Mitigating ransomware threats involves adopting zero-trust architectures, segmenting networks, using behavioral analytics, and training staff on social engineering tactics. However, implementation remains low across mid-sized Brazilian organizations. Until such protocols become standardized, attackers like LockBit will continue to find victims with alarming ease.

Fact Checker Results:

Threat Validity: Confirmed via ThreatMon’s dark web intelligence channels
Victim Confirmation: Site is listed on LockBit’s public leak blog (standard practice)
Group Activity: LockBit 3.0 remains active in Q2 2025 with multiple international hits

This incident is another indicator of how deeply ransomware actors have embedded themselves into the global digital fabric, and how even non-critical healthcare affiliates are now on the radar.