Ransomware Crisis Hits RAM Construction Services

Incident Date:

July 3, 2024

World map

Overview

Title

Ransomware Crisis Hits RAM Construction Services

Victim

RAM Construction Services

Attacker

Underground Team

Location

Livonia, USA

Michigan, USA

First Reported

July 3, 2024

Analysis of the Ransomware Attack on RAM Construction Services by The Underground Team

Company Profile: RAM Construction Services

RAM Construction Services, headquartered in Livonia, Michigan, is a prominent entity in the construction sector, particularly known for its expertise in waterproofing and restoration. Founded in 1918, originally as Western Waterproofing, the company was rebranded in 2008 to honor its founder, Robert A. Mazur. With a workforce of 372 employees and an annual revenue of $162 million, RAM Construction Services operates across multiple states, offering services that range from new construction to intricate restoration of historical buildings. Their extensive experience and commitment to maintaining structural integrity make them a vital player in the construction industry.

Vulnerabilities and Security Challenges

The nature of RAM Construction Services' operations, involving large-scale projects and sensitive client data, makes them an attractive target for cybercriminals. The storage and management of extensive employee and client information, including financial and personal data, expose them to significant cybersecurity risks. The construction industry, while advanced in many technological aspects, often lags in cybersecurity preparedness, potentially leaving companies like RAM Construction Services vulnerable to sophisticated cyber-attacks.

Details of the Ransomware Attack

On July 3, 2024, at 13:48, RAM Construction Services fell victim to a targeted ransomware attack by the group known as The Underground Team. The attackers managed to exfiltrate 762.9 megabytes of sensitive data, including employee passports, Social Security Numbers, financial records, and client contracts. This breach not only threatened the privacy of individuals associated with RAM but also posed a risk to the integrity and competitive position of the company in the construction market.

The Underground Team Ransomware Group

The Underground Team, active since early 2023, is known for its aggressive and sophisticated ransomware campaigns. They typically encrypt files using a combination of 3DES and RSA encryption techniques without altering the file extension but adding unique bytes to the end of files to mark them. The group's modus operandi includes stopping target services, deleting Volume Shadow Copies, and clearing Windows event logs to hinder recovery efforts. Their approach is primarily financially motivated, aiming to extort substantial ransoms from their victims under the threat of data leakage.

Potential Entry Points and System Penetration

While the specific entry point used by The Underground Team in this attack is not publicly disclosed, common vectors include phishing, exploitation of unpatched vulnerabilities, or compromised credentials. The construction sector's often fragmented IT infrastructure and the high volume of external communications may have provided multiple attack vectors for the criminals. Additionally, the possible lack of robust cybersecurity measures and employee training on information security could have facilitated the breach.

Sources:

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.