LockBit Ransomware Hits Sullivan Steel Services: Key Details

Incident Date:

August 11, 2024

World map

Overview

Title

LockBit Ransomware Hits Sullivan Steel Services: Key Details

Victim

Sullivan Steel Services

Attacker

Lockbit3

Location

Pennington, USA

New Jersey, USA

First Reported

August 11, 2024

Ransomware Attack on Sullivan Steel Services by LockBit

On August 12, 2024, Sullivan Steel Services, a specialized steel service center, became the latest victim of a ransomware attack orchestrated by the notorious cybercriminal group LockBit. The attack targeted the company's website, and has raised significant concerns about the security of sensitive information and potential operational disruptions.

About Sullivan Steel Services

Sullivan Steel Services, founded in 1980, operates primarily in the distribution of high-performance steel products. The company caters to highly specialized markets, including aerospace, automotive, and manufacturing sectors. Known for its extensive inventory of specialty steel grades, Sullivan Steel Services provides materials such as stainless bearing steels, carburizing stainless steels, and high-temperature steels like M50 and 9310 VAR. The company emphasizes its in-house knowledge, research and development capabilities, and a commitment to fast turnaround times without minimum order requirements.

What Makes Sullivan Steel Services Stand Out

Sullivan Steel Services distinguishes itself through its expert in-house knowledge and engineering experience, allowing them to provide tailored advice and support to customers. Their product range includes high-performance materials like XD15NW® and XD16N bars, which are valued for their superior properties such as high fatigue resistance and exceptional surface hardness. The company also ensures that all products are compliant with Defense Federal Acquisition Regulation Supplement (DFARS), meeting stringent quality standards required for defense and aerospace applications.

Vulnerabilities and Attack Overview

Despite its offerings, Sullivan Steel Services was vulnerable to cyber threats, as evidenced by the recent ransomware attack. The exact size of the data leak remains unknown, but the incident underscores the persistent threat posed by ransomware to critical supply chain entities. The breach has raised significant concerns about the security of sensitive information and the potential operational disruptions for Sullivan Steel Services.

About LockBit Ransomware Group

LockBit is a highly sophisticated ransomware-as-a-service (RaaS) group that has been active since September 2019. It has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. LockBit employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid. The ransomware uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files and exploits vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network.

Penetration Methods

LockBit is designed to exploit vulnerabilities in RDP services and unsecured network shares, allowing it to spread quickly across a network. The ransomware also performs a check to avoid executing on computer systems with installed languages common to the Commonwealth of Independent States (CIS) region. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.