The RansomHub ransomware gang is behind the current cyberattack on oil and gasoline providers big Halliburton, which disrupted the corporate’s IT techniques and enterprise operations.
The assault triggered widespread disruption, and BleepingComputer was advised that prospects could not generate invoices or buy orders as a result of the required techniques have been down.
Halliburton disclosed the assault final Friday in an SEC submitting, stating they suffered a cyberattack on August 21, 2024, by an unauthorized occasion.
“On August 21, 2024, Halliburton Company (the “Firm”) became aware that an unauthorized third party gained access to certain of its systems,” learn Halliburton’s SEC submitting.
“When the Company learned of the issue, the Company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors to assess and remediate the unauthorized activity.”
The corporate gives a quite a few providers to grease and gasoline corporations, together with nicely building, drilling, hydraulic fracturing (fracking), and IT software program and providers. As a result of firm’s wide selection of providers, there may be an excessive amount of connectivity between them and their prospects.
Nevertheless, the corporate has not shared many particulars in regards to the assault, with a buyer within the oil and gasoline business telling BleepingComputer that they’ve been left at midnight about figuring out if the assault impacted them and tips on how to defend themselves.
This has triggered different prospects to disconnect from Halliburton because of the lack of understanding being shared.
BleepingComputer has additionally been advised that some corporations are working with ONG-ISAC—an company that acts as a central level of coordination and communication for bodily and cybersecurity threats in opposition to the oil and gasoline business—to obtain technical details about the assault to find out in the event that they have been breached as nicely.
RansomHub ransomware behind the assault
For days, there have been rumors that Halliburton suffered a RansomHub ransomware assault, with customers claiming this on Reddit and on the job layoff dialogue web site, TheLayoff, the place a partial RansomHub ransom observe was revealed.
When BleepingComputer contacted Halliburton about these claims, Halliburton mentioned they weren’t making any additional feedback.
“We are not commenting beyond what was included in our filing. Any subsequent communications will be in the form of an 8-K,” Halliburton advised BleepingComputer.
Nevertheless, in an August 26 e mail despatched to suppliers and shared with BleepingComputer, Halliburton supplied further data stating that the corporate took techniques offline to guard them and is working with Mandiant to research the incident.
“We are reaching out to update you about a cybersecurity issue affecting Halliburton,” reads the letter seen by BleepingComputer.
“As soon as we learned of the issue, we activated our cybersecurity response plan and took steps to address it, including (1) proactively taking certain systems offline to help protect them, (2) engaging the support of leading external advisors, including Mandiant, and (3) notifying law enforcement.”
Additionally they said that their e mail techniques proceed to function as they’re hosted on Microsoft Azure infrastructure. A workaround can also be obtainable for transacting and issuing buy orders.
This e mail features a checklist of IOCs containing file names and IP addresses related to the assault that prospects can use to detect comparable exercise on their community.
One among these IOCs is for a Home windows executable named upkeep.exe, which BleepingComputer has confirmed to be a RansomHub ransomware encryptor.
After analyzing the pattern, it seems to be a more moderen model than beforehand analyzed, because it comprises a brand new “-cmd string” command-line argument, which is able to execute a command on the gadget earlier than encrypting information.
Supply: BleepingComputer
RansomHub
The RansomHub ransomware operation launched in February 2024, claiming it was a knowledge theft extortion and extortion group that offered stolen information to the best bidder.
Nevertheless, quickly after, it was found that the operation additionally utilized ransomware encryptors in its double-extortion assaults, the place the menace actors breached networks, stole information, after which encrypted information.
The encrypted information and the menace to leak stolen information have been then used as leverage to scare corporations into paying a ransom.
Symantec analyzed the ransomware encryptors and reported that they have been primarily based on the Knight ransomware encryptors, previously often called Cyclops.
The Knight operation claimed they offered their supply code in February 2024 and shut down simply as RansomHub launched. This has made many researchers imagine that RansomHub is a rebrand of the Knight ransomware operation.
At present, the FBI launched an advisory about RansomHub, sharing the menace actor’s techniques and warning that they breached not less than 210 victims since February.
It is not uncommon for the FBI and CISA to publish coordinated advisories on menace actors quickly after they conduct a extremely impactful assault on essential infrastructure, akin to Halliburton. Nevertheless, it isn’t recognized if the advisory and the assault are linked.
Because the begin of the 12 months, RansomHub has been chargeable for quite a few high-profile assaults, together with these on American not-for-profit credit score union Patelco, the Ceremony Help drugstore chain, the Christie’s public sale home, and U.S. telecom supplier Frontier Communications.
The ransomware operation’s information leak web site was additionally utilized to leak stolen information belonging to Change Healthcare following the shutdown of the BlackCat and ALPHV ransomware operation.
It’s believed that after BlackCat shut down, a few of its associates moved to RansomHub, permitting them to rapidly escalate their assaults with skilled ransomware menace actors.
