LockBit Ransomware Group Targets Fanning, Fanning & Associates Inc.

Fanning, Fanning & Associates Inc., a consulting engineering firm based in Lubbock, Texas, has recently fallen victim to a ransomware attack orchestrated by the notorious LockBit group. The attack was disclosed on LockBit's dark web leak site, raising concerns about the security of sensitive data and the operational integrity of the firm.

About Fanning, Fanning & Associates Inc.

Fanning, Fanning & Associates Inc. specializes in a wide range of engineering services, including mechanical, electrical, and plumbing (MEP) design, plant layout, HVAC, and energy conservation. The firm also provides utilities, district heating and cooling plants, and communication systems for various types of buildings, including institutional, commercial, and industrial structures. Their comprehensive design services encompass the preparation of drawings, specifications, and bid documents, as well as master planning, engineering reports, feasibility studies, and construction phase services.

The company is a member of several professional organizations, such as ASHRAE, CSI, and NFPA, which underscores their commitment to industry standards and continuous professional development. The leadership team includes Scott Fanning as President and Allen Ware as Vice President, among other key members. Despite being a relatively small firm, typically employing between 2 to 10 individuals, Fanning, Fanning & Associates has built a reputation for delivering high-quality engineering solutions.

Attack Overview

The ransomware attack on Fanning, Fanning & Associates was discovered on September 5, 2023. While the exact size of the data leak remains unknown, the attack has undoubtedly disrupted the company's operations and potentially compromised sensitive information. The incident highlights the growing threat of ransomware attacks in the engineering and construction sectors, emphasizing the need for enhanced cybersecurity measures.

About LockBit Ransomware Group

LockBit is a highly sophisticated ransomware-as-a-service (RaaS) group that has been active since September 2019. It has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. LockBit employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid. The ransomware uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files.

LockBit is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network. It performs a check to avoid executing on computer systems with installed languages common to the Commonwealth of Independent States (CIS) region. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper.

Potential Vulnerabilities

Fanning, Fanning & Associates, like many small to medium-sized enterprises, may have been targeted due to potential vulnerabilities in their cybersecurity infrastructure. The firm's reliance on specialized engineering software and the need for extensive data storage could have made them an attractive target for LockBit. Additionally, the use of RDP services and unsecured network shares could have provided an entry point for the ransomware.

• Fanning, Fanning & Associates Inc.
• SOCRadar: Dark Web Profile - LockBit 3.0 Ransomware
• Cyber.gov.au: Ransomware Profile - LockBit 3.0
• Red Piranha: Look into LockBit 3.0 Ransomware
• LinkedIn: Fanning Services Inc.