LockBit Ransomware Hits Great Lakes Supply: Major Cyberattack on HVAC Industry

Incident Date:

July 19, 2024

World map

Overview

Title

LockBit Ransomware Hits Great Lakes Supply: Major Cyberattack on HVAC Industry

Victim

Great Lakes Supply

Attacker

Lockbit3

Location

Howell, USA

Michigan, USA

First Reported

July 19, 2024

LockBit Ransomware Group Targets Great Lakes Supply in Devastating Cyberattack

Overview of the Attack

Great Lakes Supply, a prominent provider of heating, ventilation, and air conditioning (HVAC) solutions, has become the latest victim of a ransomware attack orchestrated by the notorious LockBit group. The attack was publicly disclosed on July 19, 2024, via LockBit's dark web leak site. The extent of the data breach remains unclear, but the incident has raised significant concerns about the security of sensitive information related to their diverse clientele.

About Great Lakes Supply

Great Lakes Supply, operating under the domain glsco.com, specializes in packaged terminal air conditioners (PTACs) and serves various sectors, including hospitality, healthcare, assisted living, education, and multi-family housing. The company distinguishes itself by engaging deeply throughout the entire product life cycle, from initial specification to installation and ongoing support. Their commitment to quality and customer service has made them a trusted partner in the HVAC industry.

Company Size and Operations

While specific employee numbers and revenue figures for Great Lakes Supply are not readily available, the company has a relatively small but specialized operation, as indicated by its LinkedIn presence. They excel in both new installations and replacement needs, claiming the capability to replace approximately 99% of in-room and packaged heating and cooling units ever produced. Their extensive product offerings and expertise in sourcing hard-to-find HVAC items set them apart in the industry.

Vulnerabilities and Targeting

Great Lakes Supply's extensive involvement in various sectors and their handling of sensitive client information make them an attractive target for ransomware groups like LockBit. The company's reliance on digital systems for product specification, distribution, and customer support could have presented multiple entry points for cybercriminals. The attack underscores the importance of robust cybersecurity measures, especially for companies deeply integrated into critical infrastructure sectors.

About LockBit Ransomware Group

LockBit, also known as LockBit Black, is a highly sophisticated ransomware-as-a-service (RaaS) group active since September 2019. It has become the most active ransomware group, responsible for over one-third of all ransomware attacks in recent years. LockBit employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid. The group is known for exploiting vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across networks.

Penetration Tactics

LockBit's modular ransomware encrypts its payload until execution, hindering malware analysis and detection. It uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files. The ransomware group typically demands payment in Bitcoin, ranging from several thousand to several hundred thousand dollars. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.