Ransomware Attack on M.Royo & KlockMetal by BianLian Group

M.Royo & KlockMetal, two interconnected Argentine companies specializing in the production and distribution of steel products, have recently fallen victim to a ransomware attack orchestrated by the notorious BianLian group. This attack has compromised critical data, posing a significant threat to their operations and data integrity.

About M.Royo & KlockMetal

Founded in 1952, M.Royo has established itself as a key player in the Argentine steel industry. The company specializes in the manufacture of welded steel pipes, adhering to API (American Petroleum Institute) standards, which are crucial for the oil and gas sector. M.Royo's capabilities extend to the threading and manufacturing of couplings, enhancing its offerings in the casing pipe market. The company has a rich history of innovation, having developed its own machinery for pipe production as early as 1964 and obtaining API licensing in 1979.

KlockMetal, established in 1923, complements M.Royo's offerings by focusing on seamless pipes and profiles. The acquisition of KlockMetal by M.Royo in 1987 allowed for an expanded product range, including structural steel and seamless tubes. Together, they serve various sectors, including oil and gas, mining, construction, and automotive industries, emphasizing quality and safety in their operations.

Attack Overview

The ransomware attack on M.Royo & KlockMetal has compromised critical data, including supply-chain information, manufacturing data, fileserver contents, and network user folder data. The breach poses a substantial threat to the company's operations and data integrity, potentially disrupting their supply chain and manufacturing processes. The company is currently assessing the full impact of the attack and working on mitigation strategies to secure their systems and data.

About BianLian Ransomware Group

BianLian is a sophisticated ransomware group that has evolved from targeting individual users to launching high-profile attacks on businesses, governmental organizations, healthcare facilities, and educational institutions globally. Initially functioning as a banking trojan, BianLian transitioned into advanced ransomware operations, emphasizing extortion-based strategies. The group gained initial access through compromised Remote Desktop Protocol (RDP) credentials, implanting custom backdoors specific to each victim, using PowerShell and Windows Command Shell for defense evasion, and employing various tools for discovery, lateral movement, collection, exfiltration, and impact.

Penetration and Impact

BianLian's tactics have evolved to include exfiltration of sensitive data, leading to significant financial and reputational consequences for compromised organizations. The group's shift towards exfiltration-based extortion and its global reach underscore the evolving threat landscape posed by ransomware groups. The attack on M.Royo & KlockMetal highlights the vulnerabilities in the manufacturing sector, particularly in companies with extensive supply chains and critical data dependencies.

• M.Royo & KlockMetal Official Website
• CISA: Cybersecurity Advisories
• Unit 42: BianLian Ransomware Group Threat Assessment