RansomHub Ransomware Attack on ERMA Srl: 350GB of Sensitive Data Stolen
Incident Date:
July 18, 2024
Overview
Title
RansomHub Ransomware Attack on ERMA Srl: 350GB of Sensitive Data Stolen
Victim
ERMA Srl
Attacker
Ransomhub
Location
First Reported
July 18, 2024
RansomHub Ransomware Attack on ERMA Srl
Overview of ERMA Srl
ERMA Srl, also known as ERMA-RTMO, is a prominent Italian company specializing in the production, distribution, and sale of aftermarket components and spare parts for earthmoving machines and agricultural equipment. Founded in 1943 by Pio Martini, ERMA has established itself as a leader in the industry. The company offers a wide range of products, including components for major brands such as Caterpillar, Komatsu, Liebherr, and Volvo. ERMA's extensive catalog and well-equipped workshop enable it to provide high-quality original spare parts and alternative options, catering to diverse customer needs.
Details of the Ransomware Attack
On July 19, 2024, ERMA Srl fell victim to a ransomware attack orchestrated by the cybercriminal group RansomHub. The attack resulted in a significant data breach, with 350GB of sensitive information being exfiltrated. RansomHub claims to have been embedded within ERMA's network for an extended period, meticulously studying the company's operations. The group has threatened to notify ERMA's customers about the data leak and publicly release the stolen information if their demands are not met, potentially causing severe reputational and financial damage.
About RansomHub
RansomHub is a relatively new ransomware group that has recently emerged in the cyber threat landscape. Believed to have roots in Russia, RansomHub operates as a Ransomware-as-a-Service (RaaS) group, with affiliates receiving 90% of the ransom money and the remaining 10% going to the main group. The group has targeted various countries, including the US, Brazil, Indonesia, and Vietnam, without following a specific pattern. RansomHub's ransomware strains are written in Golang, a language choice that may indicate future trends in ransomware development.
Penetration and Vulnerabilities
RansomHub's ability to penetrate ERMA's systems likely involved exploiting vulnerabilities within the company's network. The group's meticulous study of ERMA's operations suggests a sophisticated approach, possibly involving phishing attacks, exploiting software vulnerabilities, or leveraging weak security protocols. The extended period of undetected presence within the network indicates a high level of stealth and expertise in avoiding detection by traditional security measures.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.