Ransomware Attack on Sonol by Handala Group: In-Depth Analysis and Impact
Incident Date:
July 11, 2024
Overview
Title
Ransomware Attack on Sonol by Handala Group: In-Depth Analysis and Impact
Victim
Sonol
Attacker
Handala
Location
First Reported
July 11, 2024
Ransomware Attack on Sonol by Handala Group: A Detailed Analysis
Overview of Sonol
Sonol Israel Ltd., established in 1917, is a major player in Israel's energy sector, operating approximately 240 gas stations and 180 convenience stores branded as "So Good." The company, acquired by the Azrieli Group in 2006, employs around 2,200 staff members. Sonol has diversified its services to include electric vehicle charging stations, reflecting a commitment to sustainable energy solutions. The company is also known for its philanthropic efforts, supporting medical research and children with chronic illnesses.
Details of the Ransomware Attack
The ransomware group Handala has claimed responsibility for a recent cyberattack on Sonol. The attack resulted in a significant data breach, with 54 GB of data being dumped online. Handala justified their actions by citing geopolitical motives, specifically the plight of their people. They claimed to have previously warned all fuel stations via SMS. The group highlighted an increase in fuel consumption by 21% in October of the previous year as part of their rationale.
About Handala Group
Handala is a cybercriminal organization known for its pro-Palestinian agenda and history of targeting Israeli institutions. The group has been involved in various high-profile cyberattacks, including breaches of radar systems and the Iron Dome missile defense systems. Handala employs sophisticated tactics such as phishing campaigns and multi-stage malware loading processes to compromise their targets.
Potential Vulnerabilities
Sonol's extensive operations and significant market presence make it a lucrative target for cybercriminals. The company's involvement in critical infrastructure, such as fuel distribution and electric vehicle charging, adds to its vulnerability. The attack on Sonol underscores the importance of robust cybersecurity measures, especially for companies operating in sectors critical to national infrastructure.
Penetration Tactics
Handala likely penetrated Sonol's systems through sophisticated phishing campaigns, which may have included emails written in Hebrew to deliver malware. The group's use of multi-stage loading processes involving obfuscated scripts and shellcode could have bypassed traditional security measures, leading to the successful breach and subsequent data dump.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.