Ransomware Attack on Sullivan Steel Services by LockBit

On August 12, 2024, Sullivan Steel Services, a specialized steel service center, became the latest victim of a ransomware attack orchestrated by the notorious cybercriminal group LockBit. The attack targeted the company's website, and has raised significant concerns about the security of sensitive information and potential operational disruptions.

About Sullivan Steel Services

Sullivan Steel Services, founded in 1980, operates primarily in the distribution of high-performance steel products. The company caters to highly specialized markets, including aerospace, automotive, and manufacturing sectors. Known for its extensive inventory of specialty steel grades, Sullivan Steel Services provides materials such as stainless bearing steels, carburizing stainless steels, and high-temperature steels like M50 and 9310 VAR. The company emphasizes its in-house knowledge, research and development capabilities, and a commitment to fast turnaround times without minimum order requirements.

What Makes Sullivan Steel Services Stand Out

Sullivan Steel Services distinguishes itself through its expert in-house knowledge and engineering experience, allowing them to provide tailored advice and support to customers. Their product range includes high-performance materials like XD15NW® and XD16N bars, which are valued for their superior properties such as high fatigue resistance and exceptional surface hardness. The company also ensures that all products are compliant with Defense Federal Acquisition Regulation Supplement (DFARS), meeting stringent quality standards required for defense and aerospace applications.

Vulnerabilities and Attack Overview

Despite its offerings, Sullivan Steel Services was vulnerable to cyber threats, as evidenced by the recent ransomware attack. The exact size of the data leak remains unknown, but the incident underscores the persistent threat posed by ransomware to critical supply chain entities. The breach has raised significant concerns about the security of sensitive information and the potential operational disruptions for Sullivan Steel Services.

About LockBit Ransomware Group

LockBit is a highly sophisticated ransomware-as-a-service (RaaS) group that has been active since September 2019. It has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. LockBit employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid. The ransomware uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files and exploits vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network.

Penetration Methods

LockBit is designed to exploit vulnerabilities in RDP services and unsecured network shares, allowing it to spread quickly across a network. The ransomware also performs a check to avoid executing on computer systems with installed languages common to the Commonwealth of Independent States (CIS) region. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper.

Sources

• Sullivan Steel Services
• SOCRadar: Dark Web Profile - LockBit 3.0 Ransomware
• TXOne: Malware Analysis - LockBit 3.0
• Red Piranha: A Look at LockBit 3.0 Ransomware