Ransomware Attack on Gallos Metal Solutions by Akira Group

Overview of Gallos Metal Solutions

Gallos Metal Solutions, Inc., based in Milwaukee, Wisconsin, is a specialized metal heat treating company. Founded in 1974, the company has established itself as a leader in continuous mesh belt atmosphere heat treating. With a workforce of five employees, Gallos Metal Solutions is capable of processing large volumes of small parts in their continuous furnaces. The company prides itself on precise atmosphere and temperature control, ensuring uniform case depths and consistent hardness across parts.

Gallos Metal Solutions serves a diverse range of industries, including construction, automotive, aerospace, and industrial manufacturing. Their services encompass custom metal fabrication, welding, machining, and metal finishing. The company is known for its commitment to quality and customer satisfaction, leveraging advanced technologies and skilled craftsmanship to deliver high-quality metalworking solutions.

Details of the Ransomware Attack

On June 27, 2024, Gallos Metal Solutions fell victim to a ransomware attack orchestrated by the Akira ransomware group. The attack resulted in a significant data breach, compromising sensitive information such as employees' personal files, non-disclosure agreements (NDAs), financial data, and other internal business documents. The exact size of the data leak remains unknown at this time.

The Akira ransomware group claimed responsibility for the attack via their dark web leak site, where they listed Gallos Metal Solutions as one of their victims. The group is known for employing double extortion tactics, where they steal data before encrypting systems and then demand a ransom for both decryption and data deletion.

Profile of the Akira Ransomware Group

Akira is a relatively new but rapidly growing ransomware family that first emerged in March 2023. The group has been targeting small to medium-sized businesses across various sectors, including manufacturing, technology, education, and telecommunications. Akira is believed to be affiliated with the now-defunct Conti ransomware gang, as their code shares similarities with Conti.

Akira's ransom demands typically range from $200,000 to over $4 million. The group distinguishes itself with a unique dark web leak site featuring a retro 1980s-style green-on-black interface that victims must navigate by typing commands. Akira's tactics include unauthorized access to VPNs, credential theft, and lateral movement to deploy the ransomware. They have also been observed using tools like RClone, FileZilla, and WinSCP for data exfiltration.

In April 2023, Akira expanded its operations to target Linux-based VMware ESXi virtual machines in addition to Windows systems. As of January 2024, the group has claimed over 250 victims and $42 million in ransomware proceeds.

Potential Vulnerabilities and Attack Penetration

Gallos Metal Solutions, like many small to medium-sized businesses, may have been targeted due to potential vulnerabilities in their cybersecurity infrastructure. The company's reliance on advanced technologies and continuous furnaces for metal heat treating could have made them an attractive target for threat actors seeking to disrupt critical operations.

Akira's penetration methods often involve exploiting weak points in VPNs and stealing credentials to gain unauthorized access. Once inside the network, the group uses lateral movement techniques to deploy ransomware across systems. The use of data exfiltration tools like RClone, FileZilla, and WinSCP suggests that Akira prioritizes stealing sensitive information before encrypting systems, increasing the pressure on victims to pay the ransom.

Sources:

• Gallos Metal Solutions Inc. Company Profile
• Gallos Metal Solutions Official Website
• Trellix: Akira Ransomware
• IC3: Akira Ransomware Report