RansomHouse group has allegedly breached IPCA Laboratories
Healthcare and Pharma
Asia & Pacific
- RansomHouse group has allegedly breached IPCA Laboratories.
- The incident took place on 3 September 2022, and the current status is under encryption with approximately 6000 views.
- Phishing attacks against affected users.
- Could equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
- Implement a strong password policy and enable MFA across logins
- Check for anomalies in the endpoints.
- Patch vulnerable and exploitable endpoints.
Analysis and Attribution
Information from the Post
- On 3 September 2022, RansomHouse group published on their PR site advertising the data of IPCA Laboratories. IPCA Laboratories is an Indian pharmaceutical multinational headquartered in Mumbai founded in 1949.
- A total of 0.5 TB of data was exfiltrated and the status of the victim is tagged as ‘encrypted’.
- A sample was provided to substantiate their claims with sensitive information such as employee PII, client folders, audit documents, and doctor profiles.
- Another file titled, ‘IT Services details’, was found to be created on 01/29/2020, by Rajesh Nawale and was last modified on 30 August 2022- indicating the likely infiltration date.
[caption id="attachment_21594" align="alignnone" width="609"]
RansomHouse allegedly claims to have breached IPCA Laboratories[/caption]
- RansomHouse was first observed in early June 2022 and has targeted approximately 10 victims so far.
- During their early inception in May, they claimed to be mediators and had no responsibility in attacking any entity. They were merely an extortion marketplace.
- Discussions even emerged hinting that Ransom House is a possibly rebranding of Hive because their user interface is exactly identical.
- One of the possible techniques to gain an initial foothold in an organization as claimed by the group themselves is compromising weak passwords.
Threat Actor Activity and Rating
|Threat Actor Profiling
||High, given that there are no complaints of the group to be scammers.
||Emerged as an extortion marketplace.
||C2(C: Fairly reliable; 2: Probably true.)
[caption id="attachment_21595" align="alignnone" width="1054"]
Data sample shared by the RansomHouse group[/caption]
[caption id="attachment_21596" align="alignnone" width="492"]
Speculations around motivating of Ransom House and correlation with Hive[/caption]
[caption id="attachment_21597" align="alignnone" width="486"]
Sample folder shared by the threat actor[/caption]
Sample folder shared by the threat actor