RansomHouse attacks Wison Engineering

Incident Date:

June 14, 2023

World map



RansomHouse attacks Wison Engineering


Wison Engineering




Shanghai, China

, China

First Reported

June 14, 2023

RansomHouse Ransomware Gang Attacks Wison Engineering

The RansomHouse ransomware gang has attacked Wison Engineering. Wison Engineering is a chemical EPC and technology provider headquartered in Shanghai, China. It was founded in 1997 and specializes in petrochemical, coal-to-chemical, and oil refining industries. RansomHouse posted Wison Engineering to its data leak site on June 14th, claiming to have stolen more than 2.5TB of company data.

RansomHouse's Unique Approach

RansomHouse, a relatively recent endeavor, specializes in infiltrating networks through vulnerabilities to unlawfully acquire valuable data. While new malicious actors emerge regularly, RansomHouse exhibits distinctive characteristics that diverge from the norms observed by threat researchers. Contrary to its name, RansomHouse deviates from the conventional ransomware approach and operates as a cybercriminal entity engaged in data extortion. Rather than encrypting systems and employing ransomware, RansomHouse bypasses the encryption phase and instead demands payment for the stolen data. Remarkably, the threat actors evade accountability for their actions and attribute the blame to organizations (the victims) for their inadequate security measures.

Methodology and Consequences

RansomHouse conducts campaigns focused on manually exfiltrating data without employing encryption modules, with the primary objective of achieving financial gains. Their methodology is straightforward, as they allocate resources to exfiltrating data and researching vulnerabilities, resulting in attacks that are less intricate compared to traditional asset encryption methods. In instances where a victim refuses to pay the ransom, RansomHouse resorts to public shaming by publishing a portion of the victim's data on their website. This strategy intends to negatively impact targeted organizations by drawing attention from customers and shareholders.

RansomHouse's website provides URLs to media posts that showcase victims currently experiencing extortion, highlighting the secondary aspect of publicity as a method of extortion. Should victims persist in refusing to pay, RansomHouse proceeds to offer the stolen data for sale on the dark web. If no interested buyers are found, they proceed to publish all the data on their Tor site.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.