Paraguay’s River Gateway Under Siege: Lynx Ransomware Hits TERPORT

In the early hours of December 21, 2025, Paraguay’s most sophisticated river port operator, TERPORT, found itself thrust into the international cybercrime spotlight. The notorious Lynx ransomware group announced TERPORT as its latest victim, sending shockwaves through the region’s logistics and shipping sectors. As global trade increasingly relies on digital infrastructure, this brazen cyberattack underscores the vulnerabilities lurking beneath the surface of critical port operations.

The Anatomy of an Attack

TERPORT, a key player operating the TERPORT-VILLETA and TERPORT-SAN ANTONIO terminals, is responsible for a significant portion of Paraguay’s river-based trade. Their services span container depots, bonded warehousing, and roll-on/roll-off (RORO) logistics - making them a linchpin in the movement of goods throughout South America.

On December 21, 2025, ransomware.live, an independent threat intelligence platform, discovered that the Lynx group had listed TERPORT as a victim on its leak site. While the precise technical details remain undisclosed, such attacks typically involve hackers infiltrating a company’s network, encrypting vital data, and threatening to leak sensitive information unless a ransom is paid.

DNS records for terport.com.py were published alongside the leak, confirming the authenticity of the target. Although no stolen data was distributed by reporting platforms, the mere public listing of TERPORT sends a chilling message to the logistics industry: even the most advanced terminals are not immune to digital extortion.

Broader Implications for Critical Infrastructure

Ransomware attacks on port operators are not merely IT headaches - they can disrupt entire supply chains, delay shipments, and compromise cross-border commerce. TERPORT’s strategic location along the Parana-Paraguay Waterway amplifies the potential fallout. With increasing automation and connectivity at modern terminals, cyberattacks can have real-world consequences, from halted operations to breached contracts and eroded trust among international partners.

The Lynx gang, known for targeting high-value infrastructure, appears to be escalating its focus on the logistics sector. Experts warn that as ransomware tactics evolve, organizations managing critical infrastructure must bolster their cyber-resilience or risk cascading economic impacts.

Looking Ahead

As TERPORT works to assess and contain the damage, the incident serves as a wake-up call for Latin America’s logistics sector. Robust cybersecurity practices, employee training, and rapid response protocols are now as essential as cranes and cargo ships. In the shadowy battle between cybercriminals and defenders, the stakes have never been higher for the arteries of global trade.

WIKICROOK

• Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.
• DNS Records: DNS records are digital instructions that direct internet traffic to the right servers, ensuring websites and services are accessible and secure.
• Leak Site: A leak site is a website where cybercriminals post or threaten to post stolen data to pressure victims into paying a ransom.
• Critical Infrastructure: Critical infrastructure includes key systems - like power, water, and healthcare - whose failure would seriously disrupt society or the economy.
• Roll: 'Roll' in cybersecurity means periodically changing credentials, like passwords or keys, to minimize risks from compromised access and enhance security.