RansomHouse Strikes GARSA: Major Ransomware Attack on Spanish Firm

Incident Date:

June 28, 2024

World map

Overview

Title

RansomHouse Strikes GARSA: Major Ransomware Attack on Spanish Firm

Victim

Gestores Administrativos Reunidos

Attacker

Ransomhouse

Location

Alicante, Spain

, Spain

First Reported

June 28, 2024

RansomHouse Targets Gestores Administrativos Reunidos in Ransomware Attack

Overview of the Victim: Gestores Administrativos Reunidos (GARSA)

Gestores Administrativos Reunidos SA, commonly known as GARSA, is a prominent Spanish company specializing in administrative management and services. With a workforce exceeding 249 employees and an annual turnover between 10 and 50 million euros, GARSA is a significant player in the financial and real estate sectors in Spain. The company offers a wide range of services, including the management of public and private documentation, tax management, real estate transactions, and vehicle management. Their comprehensive solutions are designed to alleviate the administrative burden on their clients, allowing them to focus on their core activities and improve overall efficiency.

Attack Overview

On June 28, 2024, GARSA fell victim to a ransomware attack orchestrated by the RansomHouse group. The extent of the data breach remains unknown, but the attack has raised significant concerns about the security of sensitive data managed by the company. RansomHouse, known for its unique approach to ransomware, does not encrypt files but instead exfiltrates sensitive data and threatens to release it publicly if a ransom is not paid.

RansomHouse: A Distinctive Ransomware Group

RansomHouse emerged in late 2021 and distinguishes itself from traditional ransomware groups by focusing on data exfiltration rather than file encryption. The group claims to be a "professional mediators community" and positions itself as a force for good, aiming to highlight companies' security deficiencies. RansomHouse uses a Tor-based chat room and a data leak blog to communicate with victims and negotiate ransoms, accepting payments in Bitcoin. The group has been linked to other ransomware entities such as White Rabbit and Hive, indicating a collaborative approach in the cybercriminal ecosystem.

Potential Vulnerabilities and Penetration Methods

While the specific vulnerabilities exploited in the GARSA attack are not publicly disclosed, several potential weaknesses could have been targeted by RansomHouse. These may include inadequate network security measures, outdated software, and insufficient employee training on cybersecurity best practices. RansomHouse's modus operandi involves penetrating systems through vulnerabilities, exfiltrating sensitive data, and then leveraging this data to extort victims. The group's focus on data exfiltration rather than encryption allows for stealthier attacks, potentially extending the dwell time before detection.

Implications for GARSA and the Industry

The attack on GARSA underscores the growing threat posed by ransomware groups like RansomHouse, which exploit vulnerabilities in companies' cybersecurity defenses. As a company that handles sensitive financial and real estate data, GARSA's breach could have far-reaching implications for its clients and the broader industry. The incident highlights the need for robust cybersecurity measures and continuous monitoring to protect against sophisticated cyber threats.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.