Ransomware Hits Roberts Environmental Control: Abyss Group Attack
Incident Date:
August 11, 2024
Overview
Title
Ransomware Hits Roberts Environmental Control: Abyss Group Attack
Victim
Roberts Environmental Control
Attacker
Abyss
Location
First Reported
August 11, 2024
Ransomware Attack on Roberts Environmental Control by Abyss Group
Roberts Environmental Control, a well-established mechanical contractor based in Illinois, has recently fallen victim to a ransomware attack orchestrated by the cybercriminal group known as Abyss. The attack has raised significant concerns about the security measures in place and the potential impact on the company's operations and sensitive information.
About Roberts Environmental Control
Roberts Environmental Control, originally founded in 1949 as Roberts Refrigeration, is a mechanical contracting firm specializing in the installation and service of complex mechanical systems. The company was incorporated under its current name in 1973 by James and Robert Wasniewski. Over the years, the company has expanded its services to include pipe fitting, sheet metal work, and temperature control, establishing itself as a full-service provider in the HVAC industry. With a workforce of approximately 55 employees and a revenue exceeding $10 million, Roberts Environmental Control is a notable player in the HVAC market.
Attack Overview
The ransomware attack on Roberts Environmental Control was claimed by the Abyss group via their dark web leak site. The attackers managed to infiltrate the company's systems and exfiltrate a substantial amount of data, totaling 240GB in its uncompressed form. This breach underscores the growing threat of ransomware attacks and highlights the critical need for enhanced cybersecurity defenses.
About Abyss Ransomware Group
The Abyss ransomware group is a multi-extortion operation that emerged in March 2023, primarily targeting VMware ESXi environments. They are known for hosting a TOR-based website where they list victims along with exfiltrated data if the victims fail to comply with their demands. Abyss Locker ransomware campaigns have targeted various industries, including finance, manufacturing, information technology, and healthcare, with a primary focus on the United States.
Penetration and Distinguishing Features
Initial access for Abyss Locker infections can vary, with affiliated threat actors observed targeting weak SSH configurations through SSH brute force attacks to establish entry to exposed servers. For Linux, Abyss Locker payloads are derived from the Babuk codebase and function similarly. The ransomware has a standard command line interface, requiring the threat actor to define a targeted path for encryption. Encrypted files are noted with the ".crypt" extension, and any folder containing encrypted files will also contain Abyss Locker ransom notes with the .README_TO_RESTORE extension.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.