Ransomware Attack on Wind Composite Services Group, LLC by BianLian

Incident Date:

May 26, 2024

World map

Overview

Title

Ransomware Attack on Wind Composite Services Group, LLC by BianLian

Victim

Wind Composite Services Group, LLC

Attacker

Bianlian

Location

Houston, USA

Texas, USA

First Reported

May 26, 2024

Ransomware Attack on Wind Composite Services Group, LLC by BianLian

Victim Overview

Wind Composite Services Group, LLC (WindCom) is a leading provider of wind blade services in North America. With 153 employees and a revenue of $31.3 million, WindCom specializes in wind turbine maintenance and repair services. The company stands out in the industry due to its technical competence, global presence, and extensive database of blade data.

Attack Overview

WindCom has fallen victim to a ransomware attack by the BianLian ransomware group. The attackers managed to exfiltrate 412 GB of sensitive data from WindCom's systems. The stolen data includes finance records, HR information, business data, engineering documents, incident reports, and email correspondence, posing a significant threat to the company's operations and security.

Ransomware Group: BianLian

BianLian is a sophisticated ransomware group known for targeting businesses, governmental organizations, healthcare facilities, and educational institutions globally. The group has evolved from a banking trojan to advanced ransomware operations, emphasizing extortion-based strategies. BianLian distinguishes itself through its exfiltration-based extortion tactics and global reach, with a focus on sectors like healthcare, manufacturing, and legal services.

Penetration and Vulnerabilities

BianLian likely penetrated WindCom's systems through compromised Remote Desktop Protocol (RDP) credentials, implanting custom backdoors for each victim, and using PowerShell and Windows Command Shell for defense evasion. WindCom's extensive database of blade data and sensitive business information made it an attractive target for threat actors seeking financial gain through data exfiltration and extortion.

Sources:

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.