Galloway & MacLeod Hit by RansomHub Ransomware Attack

Incident Date:

September 18, 2024

World map

Overview

Title

Galloway & MacLeod Hit by RansomHub Ransomware Attack

Victim

Galloway & MacLeod

Attacker

Ransomhub

Location

Larkhall, United Kingdom

, United Kingdom

First Reported

September 18, 2024

RansomHub Ransomware Attack on Galloway & MacLeod

Galloway & MacLeod Ltd, a prominent UK-based animal feed manufacturer, has recently fallen victim to a ransomware attack orchestrated by the RansomHub group. The attackers claim to have accessed over 100GB of the company's data, including a zipped MSSQL file totaling 20GB.

About Galloway & MacLeod

Established in 1872 and based in Stonehouse, South Lanarkshire, Galloway & MacLeod specializes in the manufacture and supply of animal feeds and agricultural supplies. The company operates from a substantial four-acre site that includes offices, a feed mill, a distribution depot, and a feed superstore. With around 34 employees, the company is known for its commitment to quality and innovation in animal nutrition, holding multiple certifications such as ISO 9001 and memberships in industry assurance schemes like UFAS and FIAS.

Attack Overview

The ransomware attack on Galloway & MacLeod was claimed by RansomHub, a Ransomware-as-a-Service (RaaS) group known for its aggressive and adaptable affiliate model. The group has a reputation for targeting high-value sectors and employing double extortion tactics, which involve encrypting victims' data and exfiltrating sensitive information for additional leverage in ransom demands.

RansomHub's Modus Operandi

RansomHub emerged as a successor to the Cyclops and Knight ransomware variants, filling a power vacuum created by law enforcement actions against other groups. The group is known for its speed and efficiency, using intermittent encryption to minimize encryption time while maintaining impact. RansomHub affiliates primarily use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access. They then conduct multi-phase attacks involving network reconnaissance, privilege escalation, and data exfiltration before encrypting files.

Potential Vulnerabilities

Galloway & MacLeod's reliance on digital systems for operations and data management makes it vulnerable to ransomware attacks. The company's extensive use of MSSQL databases, as indicated by the 20GB zipped MSSQL file accessed by the attackers, suggests that database security may be a critical area of concern. Additionally, the company's commitment to innovation and quality assurance, while beneficial, may also make it an attractive target for threat actors seeking to disrupt operations and demand high ransoms.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.