RansomHub Ransomware Hits Turkish Beverage Giant Aroma Bursa

Incident Date:

September 20, 2024

World map

Overview

Title

RansomHub Ransomware Hits Turkish Beverage Giant Aroma Bursa

Victim

Aroma Bursa Meyve

Attacker

Ransomhub

Location

Gürsu, Turkey

, Turkey

First Reported

September 20, 2024

RansomHub Ransomware Attack on Aroma Bursa Meyve

Aroma Bursa Meyve Suları ve Gıda Sanayi A.Ş., a leading Turkish beverage manufacturer, has fallen victim to a ransomware attack by the notorious RansomHub group. The attackers claim to have exfiltrated 500 GB of sensitive data, including SQL Server databases such as TIGER_DB, AXATA_WM, and PAPERWORK_TEST.

About Aroma Bursa Meyve

Established in 1968 in the Gürsu district of Bursa, Aroma specializes in producing fruit juices, natural spring water, and carbonated beverages. The company operates a 75,000 m² facility and has significantly expanded its fruit processing capacity from 20,000 tons to 125,000 tons annually since the Duruk Group's acquisition in 1991. Aroma is known for pioneering several innovations in the Turkish beverage market, including the introduction of 100% fruit juice and multivitamin mixed fruit juice.

Attack Overview

The ransomware attack on Aroma Bursa Meyve was executed by RansomHub, a Ransomware-as-a-Service (RaaS) group that emerged in February 2024. The group is known for its aggressive affiliate model and double extortion tactics, encrypting victims' data while exfiltrating sensitive information to increase ransom demands. The compromised data includes various SQL Server databases, posing a significant threat to Aroma's operational integrity and data security.

RansomHub's Modus Operandi

RansomHub distinguishes itself through its speed and efficiency, targeting large enterprises with valuable data. The group uses a combination of phishing campaigns, vulnerability exploitation, and password spraying to gain initial access. Once inside, they employ tools like Mimikatz and PsExec for lateral movement and privilege escalation. Data exfiltration is conducted using tools like WinSCP and RClone before encrypting files with Curve 25519 elliptic curve encryption.

Potential Vulnerabilities

Aroma Bursa Meyve's extensive use of SQL Server databases and integrated manufacturing systems may have made it an attractive target for RansomHub. The group's ability to exploit unpatched vulnerabilities and leverage zero-day exploits highlights the importance of continuous monitoring and updating of security protocols to protect against sophisticated ransomware threats.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.