RansomHouse group has allegedly breached IPCA Laboratories

Category: Adversary Intelligence	Industry: Healthcare and Pharma	Country: Asia & Pacific	Source*: C2

Executive Summary

THREAT	IMPACT	MITIGATION
RansomHouse group has allegedly breached IPCA Laboratories. The incident took place on 3 September 2022, and the current status is under encryption with approximately 6000 views.	Phishing attacks against affected users. Could equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.	Implement a strong password policy and enable MFA across logins Check for anomalies in the endpoints. Patch vulnerable and exploitable endpoints.

Analysis and Attribution

Information from the Post

• On 3 September 2022, RansomHouse group published on their PR site advertising the data of IPCA Laboratories. IPCA Laboratories is an Indian pharmaceutical multinational headquartered in Mumbai founded in 1949.
• A total of 0.5 TB of data was exfiltrated and the status of the victim is tagged as ‘encrypted’.
• A sample was provided to substantiate their claims with sensitive information such as employee PII, client folders, audit documents, and doctor profiles.
• Another file titled, ‘IT Services details’, was found to be created on 01/29/2020, by Rajesh Nawale and was last modified on 30 August 2022- indicating the likely infiltration date.

[caption id="attachment_21594" align="alignnone" width="609"] RansomHouse allegedly claims to have breached IPCA Laboratories[/caption]  

• RansomHouse was first observed in early June 2022 and has targeted approximately 10 victims so far.
• During their early inception in May, they claimed to be mediators and had no responsibility in attacking any entity. They were merely an extortion marketplace.
• Discussions even emerged hinting that Ransom House is a possibly rebranding of Hive because their user interface is exactly identical.
• One of the possible techniques to gain an initial foothold in an organization as claimed by the group themselves is compromising weak passwords.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since	May 2022
Reputation	High, given that there are no complaints of the group to be scammers.
Current Status	Active
History	Emerged as an extortion marketplace.
Rating	C2(C: Fairly reliable; 2: Probably true.)

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia

Appendix

[caption id="attachment_21595" align="alignnone" width="1054"] Data sample shared by the RansomHouse group[/caption]   [caption id="attachment_21596" align="alignnone" width="492"] Speculations around motivating of Ransom House and correlation with Hive[/caption] More samples [caption id="attachment_21597" align="alignnone" width="486"] Sample folder shared by the threat actor[/caption]   Sample folder shared by the threat actor