Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label RansomHouse. Show all posts

RansomHub and RansomHouse: Unmasking the Culprits Behind Italy’s Attacks

RansomHub and RansomHouse: Unmasking the Culprits Behind Italy’s Attacks

Hackers have claimed responsibility for three major cyberattacks in Italy in the last 24 hours. The RansomHub and RansomHouse gangs allegedly carried out the ransomware assaults in Italy. RansomHub targeted the websites of Cloud Europe and Mangimi Fusco, while RansomHouse claimed responsibility for conducting a cyberattack against Francesco Parisi.

Italy's Ransomware Attacks

Cloud Europe is a Tier IV carrier-neutral data center based in Rome's Tecnopolo Tiburtino. According to the company's website, it specializes in data center architecture and management, focusing on security and service continuity. The company creates, hosts, and operates modular infrastructure for data centers in both the private and public sectors.

The Attacks

1. Cloud Europe: On June 29, 2024, RansomHub claimed responsibility for infiltrating the servers of Cloud Europe, a prominent Tier IV certified data center in Rome. The attackers allegedly encrypted the servers and exfiltrated 70 terabytes of data. Among the stolen information were 541.41 gigabytes of sensitive data, including client records, financial documents, and proprietary software.

2. Mangimi Fusco: The same day, RansomHub targeted Mangimi Fusco, an animal food manufacturer. The group claimed to have stolen 490 gigabytes of confidential data, including client files, budget details, and payroll information. However, as of now, Mangini Fusco’s website shows no signs of the reported attack, leaving room for skepticism.

3. Francesco Parisi: RansomHouse, another hacking collective, breached the website of Francesco Parisi, a group specializing in freight forwarding and shipping services. The attack occurred on May 29, 2024, and resulted in the theft of 150 gigabytes of company data. Francesco Parisi has acknowledged the breach and is working to restore normalcy while enhancing its cybersecurity defenses.

The Implications

These attacks raise critical questions about the state of cybersecurity readiness among Italian businesses:

Vulnerabilities: Despite advancements in security protocols, organizations remain vulnerable to sophisticated attacks. The ability of threat actors to infiltrate well-established data centers and corporate websites highlights the need for continuous vigilance.

Data Privacy: The stolen data contains sensitive information that could be exploited for financial gain or used maliciously. Companies must prioritize data privacy and invest in robust encryption, access controls, and incident response plans.

Business Continuity: When ransomware strikes, business operations grind to a halt. Cloud Europe’s experience serves as a stark reminder that even data centers, designed to ensure continuity, are not immune. Organizations must have contingency plans to minimize disruptions.

How to Stay Safe?

To safeguard against ransomware and other cyber threats, companies should consider the following strategies:

  • Regular Backups: Frequent backups of critical data are essential. These backups should be stored securely and tested periodically to ensure their integrity.
  • Employee Training: Human error often opens the door to cyberattacks. Regular training sessions can educate employees about phishing emails, suspicious links, and safe online practices.
  • Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security, making it harder for unauthorized individuals to gain access.
  • Incident Response Plans: Organizations should develop comprehensive incident response plans that outline steps to take during a breach. Swift action can minimize damage and prevent data loss.

8Base Ransomware: Researchers Raise Concerns Over its Increased Activities


The 8Base ransomware has well maintained its covert presence, avoiding detection for over a year. Although, a recent investigation into the ransomware revealed a significant rise in its operation during the period of May and June. It has been made clear that the ransomware group has been active since at least March 2022. The threat group labels itself as “simple pentesters,” indicating a basic level of proficiency in penetration testing.

Details of the 8Base

According to a research conducted by Malwarebytes and NCC Group, as of May, the ransomware group may have been linked with a total of whopping 67 attacks. Among these cyber incidents, around half of the manufacturing, construction, and business services industries together account for around half of the affected firms. The targeted firms are primarily located in the United States and Brazil, indicating a geographic focus by the threat group. 

June saw a significant surge in ransomware activities. The fact that the offenders used a dual extortion tactic raised the stakes for their victims is notable.

A list of 35 victims who have been identified has so far been on the 8Base-affiliated dark web extortion site. There have even been occasions where up to six companies have fallen victim to the ransomware operators' nefarious activities at once on specific days.

According to the VMware Carbon Black team, based on its recent activities, and its similarities of ransom notes and content on leak sites along with identical FAQ pages, 8Base could as well be a rebranding of the popular ‘RansomHouse’ ransomware group. RansomHouse, however flexibly promotes its partnership, while 8Base does not.

It is also noteworthy that a Phobos ransomware sample was also discovered by the VMware researchers, that was utilizing the “.8base” file extension, indicating the 8Base could well be the successor of or utilizing the existing ransomware strain.

The researchers concluded that the efficient operations conducted by the 8Base ransomware group may continue to group, which could be an onset of a mature organization. However, it has not yet been made clear whether the group is based on Phobos or RansomHouse.

As for now, there are speculations on 8Base's use of various ransomware strains, whether it be in earlier iterations or as a fundamental component of its typical mode of operation. However, it is commonly known that this organization is very active, with a concentration on smaller firms as a significant target.  

ADATA: RansomHouse Cyberattack Result of a Leak of 2021 Data


Taiwanese chip manufacturer ADATA denies all allegations of a RansomHouse cyberattack. This is following the announcement that threat actors began posting stolen data on a leak website belonging to the data leak group. 

Earlier this week, the RansomHouse gang added ADATA files to their data leak site. In this leak, they claimed they had taken 1TB worth of documents during a cyberattack in the year 2022. To demonstrate how much information the gang had staked, the threat actors posted samples of supposed stolen files that appear to be from ADATA. 

"Based on several technical methods of checking, we believe what Ransomhouse alleged was fake data and that it was stolen by Ragnar Locker in 2021, which is all confirmed by ADATA's spokesperson," said BleepingComputer in an email. 

ADATA implemented effective methods to provide strong security following the Ragnar Locker attack in 2021. Since then, no attack on ADATA has been successful, and no confidential information about ADATA was leaked. 

It can be stated that based on the comparison of the timestamps for the data shared by RansomHouse and the data that Ragnar Locker leaked in June 2021, both sets of stolen data had similar timestamps, which meant that both files were no older than May 2021 when compared to the timestamps for the data shared by RansomHouse. 

The company added that RansomHouse left no ransom notes on their servers that would demonstrate that an attack had been conducted against their servers. Ransom House maintains that they have taken advantage of ADATA recently through a data theft attack and that they have negotiated with the company regarding the stolen data. 

RansomHouse - who are they? 


After the release of SLGA's files in 2021, RansomHouse's extortion operation ended when it leaked the passwords of its first victim, the Saskatchewan Liquor and Gaming Authority (SLGA). Although the threat actors claim that they don't use any ransomware in their attacks, the White Rabbit ransom notes link the encryption attacks to Ransom House. 

This is a key part of the Ransom House attack. In the latest attack, RansomHouse appears to have claimed responsibility for attacks on eight Italian municipalities. A ransomware attack occurred as a result of this incident and the encryption of files with a .mario extension was appended and a ransom note leaving a greeting of, "Buongiorno to my lovely Italy" appeared on affected computers. 

The RansomHouse operation has also targeted other high-profile companies, such as AMD and Shoprite Holdings, one of Africa's largest supermarket chains, as well as large governments.