RansomHub Ransomware Hits Petrochemical Giant RAR Holding
Incident Date:
September 19, 2024
Overview
Title
RansomHub Ransomware Hits Petrochemical Giant RAR Holding
Victim
RAR Holding Group of Companies
Attacker
Ransomhub
Location
First Reported
September 19, 2024
RansomHub Ransomware Group Targets RAR Holding Group of Companies
RAR Holding Group of Companies, a leading manufacturer in the petrochemical and coatings industries, has fallen victim to a ransomware attack orchestrated by the RansomHub group. The attackers claim to have exfiltrated 62 GB of sensitive data from the Dubai-based conglomerate.
About RAR Holding Group of Companies
Founded and led by Mr. Rabih Reaidy, RAR Holding Group of Companies is a diversified entity with a significant presence in the EMEA region. The company operates across various sectors, including petrochemicals, paints and coatings, chemicals, construction materials, food production, consumer goods, packaging, real estate, and various services. With an annual turnover exceeding $158 million as of 2018, RAR Holding is recognized as the largest producer of petrochemicals in the region. The company employs a diverse workforce drawn from 35 different nationalities and operates 15 locations throughout the EMEA region.
Attack Overview
The ransomware attack on RAR Holding was executed by RansomHub, a Ransomware-as-a-Service (RaaS) group known for its aggressive affiliate model and double extortion tactics. The group claims to have exfiltrated 62 GB of data, which could potentially include sensitive information related to the company's operations and clients. The attack highlights the vulnerabilities that even well-established companies face in the current cybersecurity landscape.
RansomHub: A Formidable Threat
RansomHub emerged in February 2024 and quickly established itself as a significant player in the ransomware landscape. The group is known for its speed and efficiency, utilizing advanced encryption techniques and targeting a wide range of cross-platform systems. RansomHub affiliates primarily use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access to their targets. The group's modular architecture allows for rapid updates to evade detection, making it a formidable threat to organizations worldwide.
Penetration and Impact
RansomHub's attack on RAR Holding likely involved exploiting unpatched vulnerabilities and leveraging phishing campaigns to gain initial access. Once inside the network, the attackers would have conducted network reconnaissance, escalated privileges, and exfiltrated data before encrypting files. The use of Curve 25519 elliptic curve encryption ensures that the encrypted data is nearly impossible to decrypt without the unique keys generated per victim.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.