Analysis of the Ransomware Attack on Skender Construction by Underground Team

Company Profile: Skender Construction

Skender Construction, officially known as Skender Construction Co., is a prominent player in the U.S. construction sector. Headquartered in Chicago, Illinois, with an additional office in Indianapolis, Skender stands out as one of the nation's top 100 construction firms. Founded in 1955, the company employs around 500 individuals and generates revenue between $100 to $500 million annually. Skender is renowned for its innovative approach, leveraging technology like CiraSync to enhance operational efficiency, which saves over 1500 hours annually for its IT department.

Details of the Ransomware Attack

In 2024, Skender Construction was targeted by a cybercriminal group known as the Underground Team. The attackers deployed a ransomware strain that compromised the company's systems, leading to the exfiltration of 615.9GB of sensitive data. This data breach included a wide array of confidential materials such as architectural drawings, financial records, employee personal information, and more. The full extent of the leaked data has been published on the dark web, significantly compromising the privacy and security of both the company and its employees.

Profile of the Underground Team Ransomware

The Underground Team ransomware is a sophisticated 64-bit GUI based application known for its aggressive tactics including the deletion of backups, modification of registry settings, and halting critical services like MSSQLSERVER. This ransomware identifies system volumes using API functions and strategically places ransom notes across multiple system folders. It employs advanced encryption methods and selectively targets files and directories, avoiding certain filenames and extensions to remain undetected longer.

The primary infection vector for this ransomware is believed to be through phishing emails containing malicious attachments or links to compromised websites, exploiting human error or lack of awareness within targeted organizations.

Vulnerabilities and Industry Impact

Skender Construction's integration of technology, while beneficial for operational efficiency, also increases its vulnerability to cyber-attacks. The extensive amount of digital data handled by the company, from project plans to personal employee information, makes it a lucrative target for ransomware attacks. The construction industry, with its complex supply chains and often fragmented IT practices, is particularly susceptible to such disruptions, highlighting the need for enhanced cybersecurity measures in this sector.

Sources:

• ZoomInfo - Skender Construction Co.
• Skender Official Website - News & Media
• Construction Dive - Skender Ransomware Attack