Cloak Ransomware Hits Leading Texas Highway Contractor Longview Bridge and Road

Incident Date:

June 27, 2024

World map

Overview

Title

Cloak Ransomware Hits Leading Texas Highway Contractor Longview Bridge and Road

Victim

Longview Bridge and Road, Ltd.

Attacker

Cloak

Location

Longview, USA

Texas, USA

First Reported

June 27, 2024

Ransomware Attack on Longview Bridge and Road, Ltd. by Cloak Group

Overview of Longview Bridge and Road, Ltd.

Longview Bridge and Road, Ltd. is a family-owned heavy highway construction company based in Longview, Texas. Established in 1989, the company has grown to become the leading heavy highway contractor in the East Texas region. Specializing in heavy civil construction projects, Longview Bridge and Road, Ltd. focuses on building and maintaining infrastructure such as roads, bridges, and other related structures. The company employs a team of skilled professionals, including engineers, project managers, and construction workers, who work collaboratively to ensure that projects are completed on time, within budget, and to the highest standards of quality and safety.

Longview Bridge and Road, Ltd. is committed to sustainability and environmental responsibility, implementing best practices in construction to minimize environmental impact. The company prioritizes safety on all job sites, adhering to strict safety protocols to protect their workers and the public. With a workforce of between 100-249 employees, the company is a sizable regional player in the heavy highway construction industry.

Details of the Ransomware Attack

In a recent cyberattack, the Cloak ransomware group claimed responsibility for targeting Longview Bridge and Road, Ltd. The attack was announced on Cloak's dark web leak site, where the group threatened to publish the company's data if a ransom was not paid. The attack has raised concerns about the vulnerabilities of construction companies to ransomware attacks, particularly those that handle critical infrastructure projects.

The exact method of infiltration used by the Cloak group remains unclear, but it is known that the group often buys initial access from Initial Access Brokers (IABs) on underground marketplaces. Once inside the victim's network, Cloak deploys their ransomware to encrypt data and demands a ransom payment. If the victim refuses to pay, the data is published on Cloak's Data Leak Site (DLS) for free download by anyone.

Profile of the Cloak Ransomware Group

The Cloak ransomware group is a newly emerged threat actor that has been active since late 2022. Despite its recent activities, the origins and organizational structure of the group remain largely unknown. Cloak primarily targets small to medium-sized businesses, focusing on Europe with a special emphasis on Germany. The most impacted sectors include the medical industry, real estate, construction, IT, food industry, and manufacturing.

Cloak distinguishes itself by having a remarkably high payment rate of 91-96%. The group is financially motivated, with criminal activity aimed at personal and financial gain. Cloak is also known to have ties with the Good Day ransomware variant, which is part of the ARCrypter family. Good Day victims are threatened with having their data leaked or sold on the Cloak website.

Potential Vulnerabilities and Penetration Methods

Construction companies like Longview Bridge and Road, Ltd. are particularly vulnerable to ransomware attacks due to the critical nature of their projects and the potential for significant disruption. The use of advanced construction techniques and state-of-the-art equipment may also introduce vulnerabilities if not properly secured. Additionally, the reliance on digital systems for project management and communication can create entry points for threat actors.

The Cloak group likely penetrated Longview Bridge and Road, Ltd.'s systems by purchasing initial access from IABs. This method allows the group to bypass some of the initial security measures and gain a foothold within the network. Once inside, they can deploy their ransomware to encrypt data and demand a ransom payment.

Sources:

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.