Ransomware Attack Disrupts Arango Billboard & Construction Operations

Incident Date:

June 25, 2024

World map

Overview

Title

Ransomware Attack Disrupts Arango Billboard & Construction Operations

Victim

Arango Billboard & Construction

Attacker

Black Suit

Location

Miami, USA

Florida, USA

First Reported

June 25, 2024

Ransomware Attack on Arango Billboard & Construction by BlackSuit Group

Overview of Arango Billboard & Construction

Arango Billboard & Construction Co LLC, headquartered in Miami, Florida, specializes in the design, construction, and maintenance of outdoor advertising structures, commonly known as billboards. The company provides a full suite of services, including initial consultation, site selection, design, construction, and ongoing maintenance. Their expertise in creating visually appealing and structurally sound billboards has established them as a significant player in the outdoor advertising industry.

With a workforce of 21-50 employees and generating revenue between $5M-$10M, Arango Billboard & Construction is a mid-sized company. They are authorized by the Federal Motor Carrier Safety Administration (FMCSA) to operate in the passenger, property, and household goods transportation sectors. Despite their success, the company is not accredited by the Better Business Bureau (BBB).

Details of the Ransomware Attack

On June 26, 2024, Arango Billboard & Construction was targeted by a ransomware attack executed by the BlackSuit ransomware group. The attack led to a data breach of an unspecified size, severely disrupting the company's operations. The BlackSuit group claimed responsibility for the attack on their dark web leak site, a common tactic used to pressure victims into paying the ransom.

About the BlackSuit Ransomware Group

BlackSuit is a relatively new ransomware family that surfaced in 2023. It shares significant similarities in code and functionality with the notorious Royal ransomware group. BlackSuit targets both Windows and Linux systems, including VMware ESXi servers. The ransomware appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory. The note directs victims to a Tor chat site to communicate with the operators.

Researchers have noted a high degree of similarity between BlackSuit and Royal ransomware, suggesting that BlackSuit could be a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang. The emergence of BlackSuit indicates that the threat actors behind Royal may have inspired other cybercriminals to develop similar ransomware families.

Potential Vulnerabilities and Attack Penetration

Arango Billboard & Construction's mid-sized status and lack of BBB accreditation may have made them an attractive target for ransomware groups like BlackSuit. Companies of this size often have fewer resources dedicated to cybersecurity compared to larger enterprises, making them more vulnerable to sophisticated cyberattacks. The specific vulnerabilities exploited by BlackSuit in this attack are not publicly known, but common entry points for ransomware include phishing emails, unpatched software, and weak network security protocols.

Given BlackSuit's ability to target both Windows and Linux systems, including critical VMware ESXi infrastructure, it is likely that the ransomware group used a combination of these methods to infiltrate Arango Billboard & Construction's systems. The attack highlights the importance of robust cybersecurity measures, even for mid-sized companies in specialized industries like outdoor advertising.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.