Latin America Is Digitizing Fast. Attackers Are Moving Faster.

There is a pattern playing out across Latin America that security teams with regional exposure cannot afford to ignore. The region is digitizing at extraordinary speed — governments moving services online, financial systems going mobile, enterprises connecting across borders faster than almost any other region on the planet.

Key Takeaways

1. Ransomware Breaches Surge in Latin America. Ransomware breaches in Latin America jumped 78% in a single year — from over 250 in 2024 to over 450 in 2025 — while the number of ransomware variants nearly doubled from 48 to 79. Brazil alone accounted for roughly 30% of all victims in the region, according to Intel 471’s Latin America Cyber Threat Landscape Report, with consumer products, energy, agriculture, and professional services absorbing the heaviest impact.
2. Cyberattack Frequency and Costs. Organizations in Latin America face an average of 2,640 cyberattacks per week — 35% above the global average — with associated annual costs exceeding $90 million. The first quarter of 2025 registered a 108% year-over-year increase in reported incidents, making the region the fastest-growing cyber threat environment in the world.
3. Initial Access Brokers and Entry Methods. Over 200 initial access brokers targeted entities across 17 countries in the region during 2025, with the public sector, energy, and telecommunications among the most targeted. Compromised login credentials were the most common entry method, and corporate remote access portals were the most targeted technology — patterns that map directly to the third-party data security exposure that organizations with LATAM supply chains need to account for.
4. Digital Transformation Outpaces Security Maturity. Latin America’s rapid digital transformation is outpacing its ability to build mature security controls, governance frameworks, and legal enforcement mechanisms. The OAS cybersecurity maturity assessment found that most countries remain at or below the second maturity stage, significant gaps exist in critical infrastructure protection, software assurance, and cyber insurance adoption — structural vulnerabilities that no single regulation will fix.
5. Latin America as a Cybercrime Export Hub. The region has evolved from a target into a cybercrime export hub. Banking trojans and financial fraud schemes originally developed for local markets have scaled to North America and Europe, demonstrating the technical maturity of LATAM cybercriminal ecosystems. Several of these malware strains have operated for over a decade with limited disruption or prosecution.

But the security infrastructure, governance frameworks, and legal enforcement mechanisms needed to protect all of that new digital surface area are not keeping up. The attackers know it.

Intel 471’s Latin America Cyber Threat Landscape Report, released in January 2026, provides one of the most comprehensive pictures yet of what that gap looks like in practice. The findings are not theoretical. They are drawn from a full year of incident tracking, underground monitoring, and adversary analysis across the region. And the numbers tell a story that should reshape how organizations think about LATAM risk.

A 78% Ransomware Surge — and That’s Just the Headline

Ransomware breach events in Latin America increased from over 250 in 2024 to over 450 in 2025. That is a 78% increase in a single year. The number of ransomware variants in play nearly doubled, rising from 48 to 79. The most active groups — Qilin, The Gentlemen, SafePay, Akira, and Inc. — hit targets across every major sector, with consumer and industrial products, energy and agriculture, and professional services taking the heaviest blows.

Brazil absorbed roughly 30% of all ransomware victims in the region, followed by Mexico at 14% and Argentina at 13%. But the geographic spread tells only part of the story. The industry breakdown reveals that retail, agriculture, and healthcare providers were among the hardest hit — sectors where ransomware does not just disrupt business operations but threatens food supply chains, patient care, and public trust.

Running alongside the ransomware surge, Intel 471 tracked over 200 initial access brokers targeting entities across 17 LATAM countries during 2025. These brokers are the supply chain of cybercrime — they compromise networks and sell that access to ransomware operators, espionage groups, and data thieves. The most common method was the abuse of compromised login credentials, and the most targeted technology was corporate remote access portals. For any organization with vendors, partners, or subsidiaries in the region, those access broker numbers are a direct measure of third-party risk.

2,640 Attacks Per Week — and the Governance to Match

Here is a number that deserves more attention than it gets: Organizations in Latin America face an average of 2,640 cyberattacks per week. That is 35% above the global average of 1,955. And the first quarter of 2025 alone saw a 108% year-over-year increase in reported incidents, marking what the report calls a critical inflection point.

The costs are mounting. Annual cybersecurity costs in the region exceed $90 million, driven by the convergence of rapid digitalization, persistent security gaps in cloud environments, and the increasing use of automation to scale attacks.

But the structural story is what makes this dangerous rather than just expensive. The Organization of American States conducted a comprehensive cybersecurity maturity assessment in 2025 and found that most countries in the region remain at or below the second of five maturity stages. The gaps are particularly severe in critical infrastructure protection, software assurance, cyber insurance adoption, and market development. In plain terms: The region is connecting everything to the internet while the security foundations to protect those connections are still under construction.

Four Models of Cybersecurity Governance — and Why It Matters for Cross-Border Operations

One of the more useful contributions of the Intel 471 report is its mapping of how different countries in the region approach cybersecurity governance. Drawing on research from the German Institute for Global and Area Studies, the report identifies four distinct models.

Security-oriented countries like Colombia, Ecuador, and Paraguay prioritize cyberattack prevention through national CERTs and military cyber units. Privacy-oriented countries like Costa Rica and Panama have built GDPR-aligned data protection laws. Control-oriented countries like Cuba, Nicaragua, and Venezuela emphasize government control over data, including censorship. And hybrid models — adopted by Argentina, Brazil, Chile, Mexico, and Uruguay — combine data protection with cybersecurity resilience and selective content regulation.

For any multinational operating across the region, this fragmentation is a governance headache. A data handling practice that is compliant in Costa Rica may be inadequate in Colombia and outright restricted in Venezuela. The report notes that hybrid models are expected to become more prevalent, but in the meantime, organizations need to map their compliance obligations country by country — not assume that regional strategies will work.

The Incidents That Define the Threat

The report documents several incidents from 2025 that illustrate the range and severity of the threat landscape. In Brazil, the largest cyberattack on the country’s financial system compromised a fintech provider connected to the Central Bank’s Pix instant payment system. The attack, which leveraged insider access credentials, resulted in the diversion of approximately $148 million from eight financial institutions. Later that year, a separate ransomware group claimed to have compromised the same provider in an unrelated attack.

In Paraguay, the Brigada Cyber PMC group claimed to have stolen more than 7 million citizen records from three government systems and demanded roughly $7.4 million in ransom. In Argentina, an airport security payroll system was compromised, enabling attackers to siphon small sums directly from employee salaries. In Panama, a ransomware group breached a government entity and exfiltrated over 1.5 terabytes of data.

Each of these incidents reveals a different dimension of the problem: insider threats, government data exposure, critical infrastructure targeting, and the financial fraud that has become endemic to the region.

The Export Problem: When Local Threats Go Global

Perhaps the most consequential finding in the report is that Latin America is no longer just a target. It is an export hub for cybercrime.

Banking trojans originally developed for local financial institutions — Grandoreiro, Mekotio, Guildma, Ousaban — have expanded to Europe, Africa, South Asia, and Oceania. Grandoreiro alone now targets more than 1,500 banking institutions across more than 60 countries. Financial fraud schemes refined against LATAM populations are being reused against organizations in North America and Europe. The cross-regional spillover reflects cybercriminal ecosystems that have operated with limited disruption for over a decade.

For organizations headquartered outside the region, this means the threat is not confined to LATAM-based operations. Malware, fraud techniques, and compromised credentials originating in the region are actively targeting your customers, your employees, and your financial systems regardless of where you are located.

What Kiteworks Customers Should Know

The Intel 471 findings align closely with the data from the Kiteworks 2026 Data Security and Compliance Risk Forecast Report and the Kiteworks 2026 Data Sovereignty Report. The containment gap documented in the Forecast Report — where 63% of organizations cannot enforce purpose limitations on their tools and 60% cannot terminate a misbehaving system quickly — is precisely the kind of governance deficit that allows the threats Intel 471 documents to succeed.

For organizations with operations, supply chains, or partners in Latin America, the combination of accelerating threat activity and uneven regulatory enforcement creates a specific set of data security requirements. Sensitive content moving across borders needs to be governed at the infrastructure level, not through policy documents alone. Encryption key custody needs to remain in jurisdiction. Audit trails need to be immutable and exportable. Vendor access needs to be purpose-limited, time-bound, and logged.

Kiteworks delivers these capabilities through a Private Data Network that consolidates email, file sharing, managed file transfer, SFTP, web forms, and third-party integrations under a single policy engine. For organizations navigating the fragmented governance landscape of Latin America — where a data handling practice compliant in one country may be inadequate or restricted in the next — that single-platform approach is the difference between stated compliance and provable control.

The Threat Is Here. The Governance Gap Is the Variable.

The Intel 471 report’s assessment is blunt: Meaningful risk reduction in Latin America is unlikely in the near term. Regulatory enforcement, public-private cooperation, and regional information sharing remain slow-moving processes. Cybercriminal innovation — especially with the adoption of automation and scale — is outpacing all of them.

For security leaders, the implication is clear. You cannot wait for the region’s governance to mature before you protect your data there. You need to bring your own governance — architecture-level controls that enforce data residency, audit access, limit purpose, and produce evidence on demand — regardless of where the data sits or which regulatory model applies. The organizations that do this will operate safely in one of the world’s fastest-growing digital economies. The ones that do not will keep reading about the next $148 million incident and wondering whether they are next.