Skender Construction: Targeted by Underground Team Ransomware"
Incident Date:
May 4, 2024
Overview
Title
Skender Construction: Targeted by Underground Team Ransomware"
Victim
Skender Construction
Attacker
Underground Team
Location
First Reported
May 4, 2024
Analysis of the Ransomware Attack on Skender Construction by Underground Team
Company Profile: Skender Construction
Skender Construction, officially known as Skender Construction Co., is a prominent player in the U.S. construction sector. Headquartered in Chicago, Illinois, with an additional office in Indianapolis, Skender stands out as one of the nation's top 100 construction firms. Founded in 1955, the company employs around 500 individuals and generates revenue between $100 to $500 million annually. Skender is renowned for its innovative approach, leveraging technology like CiraSync to enhance operational efficiency, which saves over 1500 hours annually for its IT department.
Details of the Ransomware Attack
In 2024, Skender Construction was targeted by a cybercriminal group known as the Underground Team. The attackers deployed a ransomware strain that compromised the company's systems, leading to the exfiltration of 615.9GB of sensitive data. This data breach included a wide array of confidential materials such as architectural drawings, financial records, employee personal information, and more. The full extent of the leaked data has been published on the dark web, significantly compromising the privacy and security of both the company and its employees.
Profile of the Underground Team Ransomware
The Underground Team ransomware is a sophisticated 64-bit GUI based application known for its aggressive tactics including the deletion of backups, modification of registry settings, and halting critical services like MSSQLSERVER. This ransomware identifies system volumes using API functions and strategically places ransom notes across multiple system folders. It employs advanced encryption methods and selectively targets files and directories, avoiding certain filenames and extensions to remain undetected longer.
The primary infection vector for this ransomware is believed to be through phishing emails containing malicious attachments or links to compromised websites, exploiting human error or lack of awareness within targeted organizations.
Vulnerabilities and Industry Impact
Skender Construction's integration of technology, while beneficial for operational efficiency, also increases its vulnerability to cyber-attacks. The extensive amount of digital data handled by the company, from project plans to personal employee information, makes it a lucrative target for ransomware attacks. The construction industry, with its complex supply chains and often fragmented IT practices, is particularly susceptible to such disruptions, highlighting the need for enhanced cybersecurity measures in this sector.
Sources:
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.