Analysis of the Ransomware Attack on RAM Construction Services by The Underground Team

Company Profile: RAM Construction Services

RAM Construction Services, headquartered in Livonia, Michigan, is a prominent entity in the construction sector, particularly known for its expertise in waterproofing and restoration. Founded in 1918, originally as Western Waterproofing, the company was rebranded in 2008 to honor its founder, Robert A. Mazur. With a workforce of 372 employees and an annual revenue of $162 million, RAM Construction Services operates across multiple states, offering services that range from new construction to intricate restoration of historical buildings. Their extensive experience and commitment to maintaining structural integrity make them a vital player in the construction industry.

Vulnerabilities and Security Challenges

The nature of RAM Construction Services' operations, involving large-scale projects and sensitive client data, makes them an attractive target for cybercriminals. The storage and management of extensive employee and client information, including financial and personal data, expose them to significant cybersecurity risks. The construction industry, while advanced in many technological aspects, often lags in cybersecurity preparedness, potentially leaving companies like RAM Construction Services vulnerable to sophisticated cyber-attacks.

Details of the Ransomware Attack

On July 3, 2024, at 13:48, RAM Construction Services fell victim to a targeted ransomware attack by the group known as The Underground Team. The attackers managed to exfiltrate 762.9 megabytes of sensitive data, including employee passports, Social Security Numbers, financial records, and client contracts. This breach not only threatened the privacy of individuals associated with RAM but also posed a risk to the integrity and competitive position of the company in the construction market.

The Underground Team Ransomware Group

The Underground Team, active since early 2023, is known for its aggressive and sophisticated ransomware campaigns. They typically encrypt files using a combination of 3DES and RSA encryption techniques without altering the file extension but adding unique bytes to the end of files to mark them. The group's modus operandi includes stopping target services, deleting Volume Shadow Copies, and clearing Windows event logs to hinder recovery efforts. Their approach is primarily financially motivated, aiming to extort substantial ransoms from their victims under the threat of data leakage.

Potential Entry Points and System Penetration

While the specific entry point used by The Underground Team in this attack is not publicly disclosed, common vectors include phishing, exploitation of unpatched vulnerabilities, or compromised credentials. The construction sector's often fragmented IT infrastructure and the high volume of external communications may have provided multiple attack vectors for the criminals. Additionally, the possible lack of robust cybersecurity measures and employee training on information security could have facilitated the breach.

Sources:

• LinkedIn: RAM Construction Services Company Profile
• Dun & Bradstreet: RAM Construction Services of Michigan Inc.
• RAM Construction Services Official Website: Our Company
• PC Risk: Underground Team Ransomware Removal Guide
• Cyberint: Finding and Analyzing Ransomware Groups
• Security Scorecard: Technical Analysis of the Underground Ransomware