LockBit Ransomware Group Targets Piedmont Hoist & Crane in Devastating Cyber Attack

Overview of Piedmont Hoist & Crane

Piedmont Hoist & Crane, based in Colfax, North Carolina, is a specialized manufacturer and service provider in the overhead lifting equipment sector. Established in 1993, the company has grown from a small service firm to a prominent player in the industry, employing over 30 individuals and serving more than 400 customers across four states. The company is known for its comprehensive range of products, including overhead cranes, crane components, and custom-engineered solutions. Their adherence to the Crane Manufacturers Association of America (CMAA) specifications ensures high standards of safety and performance.

Details of the Ransomware Attack

The ransomware group LockBit, also known as LockBit Black, has claimed responsibility for a cyber attack on Piedmont Hoist & Crane. The attack was announced on LockBit's dark web leak site, indicating that the company's critical infrastructure has been compromised. This incident has the potential to disrupt various aspects of Piedmont Hoist & Crane's operations, including system design, structural analysis, layout integration, and servicing and repair services. The attack underscores the increasing vulnerability of the manufacturing sector to ransomware threats.

About LockBit Ransomware Group

LockBit is a highly sophisticated ransomware-as-a-service (RaaS) group that has been active since September 2019. It has become one of the most active ransomware groups, responsible for a significant portion of ransomware attacks in recent years. LockBit employs a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files and uses "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid. The group typically demands payment in Bitcoin, ranging from several thousand to several hundred thousand dollars.

Potential Vulnerabilities and Attack Penetration

LockBit is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network. It performs a check to avoid executing on systems with languages common to the Commonwealth of Independent States (CIS) region. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper. The ransomware group also accepts various command-line parameters to modify its behavior, such as spreading laterally via group policy or admin shares and rebooting into Safe Mode.

Sources

• Piedmont Hoist & Crane
• SOCRadar - LockBit Ransomware
• TXOne Networks - Malware Analysis: LockBit
• Red Piranha - A Look at LockBit Ransomware
• CISA - LockBit Ransomware Profile