Noroaco Data Breach Exposes 750GB of Steel Manufacturing Data

The Noroaco data breach has been claimed by the BEAST ransomware group following a cyberattack that compromised 750GB of data belonging to the Brazilian steel manufacturer Noroaco – Ferro e Aço. The company, which specializes in the production of high-quality steel tubes, beams, tiles, sheets, and plasma cutting services, was listed as an unpublished victim on BEAST’s dark web leak site on November 6, 2025. The attack is part of a growing wave of ransomware incidents targeting Latin American industrial and manufacturing companies.

About Noroaco

Noroaco is a prominent Brazilian steel and metal fabrication company with over sixteen years of industry experience. The firm provides steel construction materials and precision cutting services to clients across Latin America, serving multiple industries including civil construction, energy, and industrial manufacturing. The company’s infrastructure relies on heavy data processing for design, inventory, and logistics management, making it a high-value target for ransomware operators seeking access to proprietary designs and financial data.

Details of the Breach

According to the BEAST ransomware group’s leak portal, the Noroaco data breach resulted in the exfiltration of approximately 750GB of sensitive information. The attackers listed the company’s website (noroaco.com) and financial data indicating estimated annual revenue of $5.7 million USD. The breach entry remains marked as “unpublished,” suggesting that negotiations may be ongoing and that the stolen data has not yet been released publicly.

Although BEAST has not released sample files, prior incidents linked to the group show that unpublished data typically includes technical documents, internal communications, and financial spreadsheets. For a manufacturing company like Noroaco, this could include:

• Engineering blueprints and production line configurations
• Supplier and client contracts
• Procurement and export documentation
• Employee payroll or HR records
• Confidential product specifications and quality control reports

If such data were to be leaked, it could expose valuable trade secrets, disrupt client relationships, and allow competitors or cybercriminals to exploit operational weaknesses within the company’s supply chain.

About the BEAST Ransomware Group

The BEAST ransomware group is an emerging cybercriminal operation that gained visibility in 2025 for attacking organizations across Brazil, Pakistan, India, and the United States. The group uses a double-extortion strategy that involves both data theft and encryption of local systems. Victims are pressured to pay ransoms under the threat of having their data published on BEAST’s dark web leak portal.

In the case of the Noroaco data breach, BEAST likely used tactics seen in its previous campaigns, including phishing attacks to steal credentials, exploitation of remote desktop protocol (RDP) vulnerabilities, and lateral movement through compromised administrator accounts. Once inside a network, the group exfiltrates large volumes of data before initiating encryption to lock down servers and workstations. This method allows attackers to maintain leverage even if the victim restores operations from backups.

Impact on Noroaco and Its Partners

The industrial sector faces unique cybersecurity challenges, as it often relies on legacy systems, operational technology (OT), and industrial control systems (ICS) that are difficult to update or secure. The Noroaco data breach poses a serious risk to production integrity, supplier confidentiality, and client trust. Leaked designs or project specifications could allow competitors to replicate products or undercut bids in future contracts. Additionally, exposure of export or import documentation could lead to regulatory complications and supply chain disruptions.

Given the size of the compromised dataset, the incident likely includes both business and engineering records that could reveal sensitive details about the company’s production processes. In similar cases, ransomware-related data leaks have exposed proprietary CAD files, manufacturing blueprints, and client payment histories, creating financial and reputational damage that lasts years beyond the initial breach.

Brazil’s Growing Ransomware Problem

Brazil has become one of the most targeted countries in Latin America for ransomware attacks, with a surge in incidents affecting logistics, industrial, and construction firms throughout 2025. Groups like LockBit, Qilin, and BEAST have expanded operations in the region, taking advantage of underfunded IT security departments and inconsistent cyber defense frameworks. Manufacturing firms, in particular, are vulnerable due to their reliance on continuous operations and the high cost of downtime.

The Brazilian government has urged private companies to adopt stronger cybersecurity policies and engage in proactive monitoring. However, many small and mid-sized industrial firms lack the resources to maintain round-the-clock protection or incident response capabilities. The Noroaco data breach underscores this growing gap between cyber resilience and operational dependency in critical sectors.

Technical Analysis

Ransomware attacks like the one that caused the Noroaco data breach typically begin with credential harvesting through phishing emails or brute-force attacks on remote access ports. Once inside, attackers deploy malware that scans the network for domain controllers, shared storage, and backup systems. BEAST is believed to use a combination of PowerShell scripts and data exfiltration tools to compress and encrypt large archives before transferring them to servers controlled by the group.

The attackers often exploit known vulnerabilities in outdated firewalls or VPN gateways, which remain common in manufacturing networks. After exfiltrating critical data, BEAST operators encrypt system files and display ransom notes demanding cryptocurrency payments in exchange for decryption keys and suppression of public data leaks. If no payment is made, stolen data is later released on dark web forums and data leak portals to further pressure the victim.

Potential Consequences

The repercussions of the Noroaco data breach could be significant for both the company and its clients. In addition to immediate financial and reputational damage, leaked intellectual property could weaken Noroaco’s market position. The exposure of internal documents could also lead to compliance issues with trade regulators or expose private customer information, depending on the contents of the compromised archives. For companies in the industrial supply chain, such incidents can result in cascading effects, including contract terminations, delayed shipments, and reduced trust from clients.

Cybersecurity experts advise that manufacturing companies adopt a layered defense strategy to prevent ransomware infiltration. This includes segmenting production networks, implementing endpoint detection and response (EDR) systems, maintaining offline backups, and ensuring all third-party vendors meet cybersecurity standards. The Noroaco incident highlights how attackers exploit the weakest links in digital ecosystems, often gaining access through vendors or unsecured industrial IoT devices.

Mitigation and Recommendations

To prevent similar attacks, organizations in the industrial and manufacturing sectors should prioritize the following actions:

• Regularly patch and update all operating systems and network devices.
• Use strong, unique passwords combined with multi-factor authentication (MFA) for remote logins.
• Implement network segmentation to isolate OT environments from business IT systems.
• Perform frequent security assessments and penetration testing to identify weak points.
• Maintain encrypted offline backups and regularly test restoration procedures.
• Deploy real-time monitoring tools to detect unusual network traffic or unauthorized data transfers.

In the event of a ransomware incident, experts recommend isolating infected systems immediately, reporting the breach to law enforcement, and consulting cybersecurity professionals before engaging with attackers. Affected individuals and companies should monitor for potential fraud or identity theft. Tools like Malwarebytes can help detect and remove ransomware-related threats from affected networks.

Ongoing Situation

The Noroaco data breach is currently listed as “unpublished” on BEAST’s leak portal, meaning the stolen files have not been publicly distributed. However, based on BEAST’s previous behavior, data is often released within days or weeks if ransom demands are not met. If this happens, it would represent one of the largest manufacturing data breaches in Brazil in 2025, given the 750GB of compromised information.

This attack adds to a growing pattern of targeted ransomware campaigns in Latin America’s industrial sector. As companies like Noroaco work to restore operations and secure their systems, cybersecurity researchers are urging others in the region to strengthen their defenses against increasingly organized cybercrime groups.

For continued coverage of major data breaches and evolving cybersecurity threats, visit Botcrawl for real-time updates and analysis.