LockBit Ransomware Hits Texas Engineering Firm Fanning & Associates
Incident Date:
August 30, 2024
Overview
Title
LockBit Ransomware Hits Texas Engineering Firm Fanning & Associates
Victim
Fanning Fanning & Associates Inc.
Attacker
Lockbit3
Location
First Reported
August 30, 2024
LockBit Ransomware Group Targets Fanning, Fanning & Associates Inc.
Fanning, Fanning & Associates Inc., a consulting engineering firm based in Lubbock, Texas, has recently fallen victim to a ransomware attack orchestrated by the notorious LockBit group. The attack was disclosed on LockBit's dark web leak site, raising concerns about the security of sensitive data and the operational integrity of the firm.
About Fanning, Fanning & Associates Inc.
Fanning, Fanning & Associates Inc. specializes in a wide range of engineering services, including mechanical, electrical, and plumbing (MEP) design, plant layout, HVAC, and energy conservation. The firm also provides utilities, district heating and cooling plants, and communication systems for various types of buildings, including institutional, commercial, and industrial structures. Their comprehensive design services encompass the preparation of drawings, specifications, and bid documents, as well as master planning, engineering reports, feasibility studies, and construction phase services.
The company is a member of several professional organizations, such as ASHRAE, CSI, and NFPA, which underscores their commitment to industry standards and continuous professional development. The leadership team includes Scott Fanning as President and Allen Ware as Vice President, among other key members. Despite being a relatively small firm, typically employing between 2 to 10 individuals, Fanning, Fanning & Associates has built a reputation for delivering high-quality engineering solutions.
Attack Overview
The ransomware attack on Fanning, Fanning & Associates was discovered on September 5, 2023. While the exact size of the data leak remains unknown, the attack has undoubtedly disrupted the company's operations and potentially compromised sensitive information. The incident highlights the growing threat of ransomware attacks in the engineering and construction sectors, emphasizing the need for enhanced cybersecurity measures.
About LockBit Ransomware Group
LockBit is a highly sophisticated ransomware-as-a-service (RaaS) group that has been active since September 2019. It has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. LockBit employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid. The ransomware uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files.
LockBit is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network. It performs a check to avoid executing on computer systems with installed languages common to the Commonwealth of Independent States (CIS) region. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper.
Potential Vulnerabilities
Fanning, Fanning & Associates, like many small to medium-sized enterprises, may have been targeted due to potential vulnerabilities in their cybersecurity infrastructure. The firm's reliance on specialized engineering software and the need for extensive data storage could have made them an attractive target for LockBit. Additionally, the use of RDP services and unsecured network shares could have provided an entry point for the ransomware.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.