RansomHub Ransomware Hits Thornton Inc. Exfiltrates 100GB Data
Incident Date:
September 12, 2024
Overview
Title
RansomHub Ransomware Hits Thornton Inc. Exfiltrates 100GB Data
Victim
Thornton Inc.
Attacker
Ransomhub
Location
First Reported
September 12, 2024
RansomHub Ransomware Attack on Thornton Inc.
Thornton Construction Company, Inc., commonly known as Thornton Inc., has recently fallen victim to a ransomware attack orchestrated by the RansomHub group. The attackers claim to have exfiltrated 100 GB of sensitive data from the company, which is a prominent player in the construction and engineering sectors.
About Thornton Inc.
Established in 1998 by Thomas Thornton and headquartered in Miami, Florida, Thornton Inc. specializes in construction management and general contracting services. The company employs between 101 and 250 individuals and reports an annual revenue of approximately $33.9 million. Thornton Inc. is known for its commitment to quality, safety, and client satisfaction, boasting a high rate of repeat customers. The firm operates across various sectors, including commercial, industrial, and institutional buildings, and emphasizes rigorous safety protocols and a strong corporate culture.
Attack Overview
The ransomware attack on Thornton Inc. was claimed by RansomHub via their dark web leak site. The group asserts that they have exfiltrated 100 GB of data, which could potentially include sensitive project details, financial records, and personal information of employees and clients. The attack highlights the vulnerabilities in Thornton Inc.'s cybersecurity measures, despite their strong operational protocols in other areas.
About RansomHub
RansomHub is a Ransomware-as-a-Service (RaaS) group that emerged in February 2024. The group is known for its aggressive affiliate model and double extortion tactics, which involve encrypting victims' data and exfiltrating sensitive information to increase ransom demands. RansomHub has quickly gained notoriety for its speed and efficiency, targeting high-value sectors such as healthcare, financial services, and government.
Penetration Methods
RansomHub affiliates typically use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access to their targets. In the case of Thornton Inc., it is likely that the attackers exploited unpatched systems or used social engineering techniques to infiltrate the company's network. Once inside, they would have conducted network reconnaissance, escalated privileges, and exfiltrated data before deploying the ransomware to encrypt files.
RansomHub's Distinguishing Features
RansomHub sets itself apart with its use of intermittent encryption, which encrypts files in chunks to minimize encryption time while maintaining impact. The group employs Curve 25519 elliptic curve encryption for generating unique keys per victim and uses a modular architecture that allows affiliates to update ransomware strains quickly to avoid detection. These features, combined with their ruthless operational tactics, make RansomHub a formidable threat in the cybersecurity landscape.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.