ElDorado Ransomware Group Strikes TBM Consulting Group

Incident Date:

June 6, 2024

World map

Overview

Title

ElDorado Ransomware Group Strikes TBM Consulting Group

Victim

TBM Consulting Group

Attacker

ElDorado

Location

Morrisville, USA

North Carolina, USA

First Reported

June 6, 2024

ElDorado Ransomware Group Targets TBM Consulting Group

Overview of the Attack

The ransomware group ElDorado has claimed responsibility for a significant cyberattack on TBM Consulting Group, a management consulting firm specializing in operational excellence and business transformation. The attack resulted in the exfiltration of 485GB of sensitive data, which has been put up for sale on ElDorado's dark web leak site.

About TBM Consulting Group

TBM Consulting Group, headquartered in Morrisville, North Carolina, is a global operations consulting firm with a focus on Lean and Six Sigma methodologies. The company employs between 201 and 500 individuals and generates an annual revenue of approximately $40 million. TBM Consulting Group is renowned for its expertise in operational excellence, supply chain management, and private equity operational due diligence. The firm works with various industries, including manufacturing, healthcare, and services, to enhance efficiency, reduce waste, and increase profitability.

Vulnerabilities and Impact

Despite its strong industry standing, TBM Consulting Group's extensive network and valuable data made it an attractive target for cybercriminals. The attack has exposed vulnerabilities in the company's cybersecurity defenses, leading to significant operational and reputational damage. The exfiltrated data includes sensitive information that could have severe implications for the firm's clients and partners.

Profile of ElDorado Ransomware Group

ElDorado emerged in 2024 and quickly gained notoriety for its double-extortion tactics. The group not only encrypts victims' files but also exfiltrates sensitive data, threatening to release it publicly if ransom demands are not met. ElDorado's meticulous approach involves thorough reconnaissance to identify valuable data, which is then encrypted and marked with the extension .00000001. The group uses phishing attacks, unpatched vulnerabilities, and weaknesses in Remote Desktop Protocol (RDP) configurations to infiltrate systems.

Penetration Tactics

ElDorado likely penetrated TBM Consulting Group's systems through a combination of phishing attacks and exploiting unpatched software vulnerabilities. Once inside, they used legitimate system administration tools to blend in with normal operations, making detection difficult. The stolen data serves as leverage in their extortion attempts, adding pressure on the victim to comply with ransom demands.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.