RansomHub Gang Connected to Haliburton Attack Disclosed in SEC Filing

Date:

August 30, 2024

World map

The RansomHub ransomware gang is reportedly responsible for a significant cyberattack on Halliburton, a major player in the oil and gas services industry.  

The attack, which occurred on August 21, 2024, severely disrupted Halliburton's IT systems and business operations. The impact was widespread, with customers unable to generate invoices or purchase orders due to downed systems, causing significant operational delays.

Halliburton disclosed the attack in a recent SEC filing, acknowledging that an unauthorized third party had gained access to their systems. In response, the company activated its cybersecurity response plan, involving both internal investigations and external advisors to assess and mitigate the breach.  

Despite these measures, Halliburton has released very few details about the incident, leaving customers uncertain about the extent of the damage and how it might affect them. Bleeping Computer reports that this lack of communication has led some customers to sever connections with Halliburton, as they struggle to determine their own vulnerabilities.

Amidst these uncertainties, other companies within the oil and gas sector have sought guidance from the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC), which coordinates responses to physical and cybersecurity threats in the industry. These companies are seeking technical information to ascertain if they too have been breached.

Speculation about the involvement of the RansomHub ransomware gang in the attack emerged on platforms like Reddit and TheLayoff, where users shared details, including a partial ransom note.  

When contacted, Halliburton refrained from commenting further, stating that any additional information would be communicated through official channels. However, an email from Halliburton to its suppliers, dated August 26 and shared with BleepingComputer, provided some additional insights.

The company confirmed that it had proactively taken certain systems offline to protect them and was working with a cybersecurity firm to investigate the incident. Halliburton also reassured recipients that their email systems, hosted on Microsoft Azure, remained operational and that a workaround was available for issuing purchase orders.

The email included indicators of compromise (IOCs), such as file names and IP addresses linked to the attack, to help customers detect similar activities on their networks.  

One notable IOC was a Windows executable named "maintenance.exe," identified as a RansomHub ransomware encryptor. Analysis of this file revealed it to be a newer version, featuring a command-line argument that allows the execution of commands before encrypting files.

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, RansomHub operates as a RaaS platform, emerging in the cybercrime scene in early 2024. They were at first suspected of being tied to LockBit, but their code is based on the now-defunct Knight ransomware group, which is written in Golang. It was observed that the Knight group put the code up for sale in February 2024.

RansomHub has quickly garnered attention due to its impactful attacks and sophisticated approach to ransomware deployment. RansomHub affiliates get to keep as much as 90% of ransom proceeds.  

The group also claims to enforce strict policies that affiliates must comply with agreements made with victims during negotiations or they will be permanently banned.

RansomHub has developed its RaaS capabilities leveraging advanced techniques and benefiting from the dissolution of other ransomware groups. This includes attracting affiliates from other disbanded groups, thereby strengthening their operational capacity. ‍

RansomHub has rapidly grown to become one of the most active ransomware groups since its appearance in early 2024. By the end of Q2, it was responsible for many attacks across various sectors.

RansomHub has invested in recruiting former affiliates from other ransomware groups and maintain a versatile and updated codebase, indicating a well-funded operation with a focus on growth and sustainability.

The group has made substantial ransom demands, evidenced by the $22 million demanded from Change Healthcare. This indicates their focus on targeting large organizations with the capacity to pay significant ransoms.

Initially focusing on the healthcare sector, RansomHub’s approach indicates very strategic target selection due to the high value and sensitive nature of healthcare data. Notable victims include Change Healthcare, Kovra, Computan, Scadea Solutions, Christie’s Auction House, NRS Healthcare, and Frontier Communications.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.