RansomHub Ransomware Hits Illinois-Based PHD Services
Incident Date:
September 5, 2024
Overview
Title
RansomHub Ransomware Hits Illinois-Based PHD Services
Victim
PHD Services
Attacker
Ransomhub
Location
First Reported
September 5, 2024
RansomHub Ransomware Attack on PHD Services
PHD Services, a comprehensive facility services provider based in Illinois, has recently fallen victim to a ransomware attack orchestrated by the cybercriminal group RansomHub. Established in 1962, PHD Services specializes in professional cleaning, facility support, grounds maintenance, and supply chain solutions. As a women-owned and operated business, the company has grown from a local enterprise to a regional leader, serving clients across the United States.
Company Profile
PHD Services employs over 400 people and has built a reputation for reliability and quality over its six decades of operation. The company offers a wide array of support services tailored to the specific needs of their clients, including routine janitorial work, specialized cleaning, facility management, and grounds maintenance. Their supply chain solutions help streamline operations for clients, making them a preferred partner in the facility services industry.
Attack Overview
The ransomware attack on PHD Services has potentially compromised sensitive client data and disrupted the company's ability to provide critical support. The attack poses significant risks to both the organization's operations and the satisfaction of its clientele. The exact details of the data exfiltrated and the ransom demanded have not been disclosed, but the impact on the company's operations is evident.
RansomHub: The Ransomware Group
RansomHub, a Ransomware-as-a-Service (RaaS) group, emerged in February 2024 and quickly established itself as a formidable player in the ransomware landscape. Known for its speed and efficiency, RansomHub employs a double extortion strategy, encrypting victims' data and exfiltrating sensitive information to increase leverage in ransom demands. The group targets high-value sectors such as healthcare, financial services, and government.
Penetration and Methodology
RansomHub affiliates primarily use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access. They are known to exploit unpatched systems like Citrix ADC and FortiOS. Once inside, they conduct multi-phase attacks involving network reconnaissance, privilege escalation, and data exfiltration before encrypting files. The ransomware uses Curve 25519 elliptic curve encryption and intermittent encryption techniques to minimize encryption time while maintaining impact.
Vulnerabilities and Impact
PHD Services' extensive operations and reliance on digital systems for managing client data and service delivery made them a prime target for RansomHub. The attack has highlighted the vulnerabilities in their cybersecurity infrastructure, emphasizing the need for enhanced security measures to protect against sophisticated ransomware threats.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.